2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #ifndef HEADER_RAND_LCL_H
11 # define HEADER_RAND_LCL_H
13 # include <openssl/aes.h>
14 # include <openssl/evp.h>
15 # include <openssl/sha.h>
16 # include <openssl/hmac.h>
17 # include <openssl/ec.h>
18 # include <openssl/rand_drbg.h>
20 /* How many times to read the TSC as a randomness source. */
21 # define TSC_READ_COUNT 4
23 /* Maximum reseed intervals */
24 # define MAX_RESEED_INTERVAL (1 << 24)
25 # define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */
27 /* Default reseed intervals */
28 # define MASTER_RESEED_INTERVAL (1 << 8)
29 # define SLAVE_RESEED_INTERVAL (1 << 16)
30 # define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
31 # define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
35 /* Max size of additional input and personalization string. */
36 # define DRBG_MAX_LENGTH 4096
39 * The quotient between max_{entropy,nonce}len and min_{entropy,nonce}len
41 * The current factor is large enough that the RAND_POOL can store a
42 * random input which has a lousy entropy rate of 0.0625 bits per byte.
43 * This input will be sent through the derivation function which 'compresses'
44 * the low quality input into a high quality output.
46 # define DRBG_MINMAX_FACTOR 128
49 /* DRBG status values */
50 typedef enum drbg_status_e
{
58 typedef int (*RAND_DRBG_instantiate_fn
)(RAND_DRBG
*ctx
,
59 const unsigned char *ent
,
61 const unsigned char *nonce
,
63 const unsigned char *pers
,
66 typedef int (*RAND_DRBG_reseed_fn
)(RAND_DRBG
*ctx
,
67 const unsigned char *ent
,
69 const unsigned char *adin
,
72 typedef int (*RAND_DRBG_generate_fn
)(RAND_DRBG
*ctx
,
75 const unsigned char *adin
,
78 typedef int (*RAND_DRBG_uninstantiate_fn
)(RAND_DRBG
*ctx
);
85 typedef struct rand_drbg_method_st
{
86 RAND_DRBG_instantiate_fn instantiate
;
87 RAND_DRBG_reseed_fn reseed
;
88 RAND_DRBG_generate_fn generate
;
89 RAND_DRBG_uninstantiate_fn uninstantiate
;
94 * The state of a DRBG AES-CTR.
96 typedef struct rand_drbg_ctr_st
{
101 /* Temp variables used by derivation function */
104 /* Temporary block storage used by ctr_df */
105 unsigned char bltmp
[16];
107 unsigned char KX
[48];
112 * The state of all types of DRBGs, even though we only have CTR mode
115 struct rand_drbg_st
{
118 int secure
; /* 1: allocated on the secure heap, 0: otherwise */
119 int nid
; /* the underlying algorithm */
121 unsigned short flags
; /* various external flags */
124 * The random pool is used by RAND_add()/drbg_add() to attach random
125 * data to the global drbg, such that the rand_drbg_get_entropy() callback
126 * can pull it during instantiation and reseeding. This is necessary to
127 * reconcile the different philosophies of the RAND and the RAND_DRBG
128 * with respect to how randomness is added to the RNG during reseeding
131 struct rand_pool_st
*pool
;
134 * The following parameters are setup by the per-type "init" function.
136 * Currently the only type is CTR_DRBG, its init function is drbg_ctr_init().
138 * The parameters are closely related to the ones described in
139 * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one
140 * crucial difference: In the NIST standard, all counts are given
141 * in bits, whereas in OpenSSL entropy counts are given in bits
142 * and buffer lengths are given in bytes.
144 * Since this difference has lead to some confusion in the past,
145 * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055])
146 * the 'len' suffix has been added to all buffer sizes for
152 size_t min_entropylen
, max_entropylen
;
153 size_t min_noncelen
, max_noncelen
;
154 size_t max_perslen
, max_adinlen
;
156 /* Counts the number of generate requests since the last reseed. */
157 unsigned int generate_counter
;
159 * Maximum number of generate requests until a reseed is required.
160 * This value is ignored if it is zero.
162 unsigned int reseed_interval
;
163 /* Stores the time when the last reseeding occurred */
166 * Specifies the maximum time interval (in seconds) between reseeds.
167 * This value is ignored if it is zero.
169 time_t reseed_time_interval
;
171 * Counts the number of reseeds since instantiation.
172 * This value is ignored if it is zero.
174 * This counter is used only for seed propagation from the <master> DRBG
175 * to its two children, the <public> and <private> DRBG. This feature is
176 * very special and its sole purpose is to ensure that any randomness which
177 * is added by RAND_add() or RAND_seed() will have an immediate effect on
178 * the output of RAND_bytes() resp. RAND_priv_bytes().
180 unsigned int reseed_counter
;
185 /* Application data, mainly used in the KATs. */
186 CRYPTO_EX_DATA ex_data
;
188 /* Implementation specific data (currently only one implementation) */
193 /* Implementation specific methods */
194 RAND_DRBG_METHOD
*meth
;
196 /* Callback functions. See comments in rand_lib.c */
197 RAND_DRBG_get_entropy_fn get_entropy
;
198 RAND_DRBG_cleanup_entropy_fn cleanup_entropy
;
199 RAND_DRBG_get_nonce_fn get_nonce
;
200 RAND_DRBG_cleanup_nonce_fn cleanup_nonce
;
203 /* The global RAND method, and the global buffer and DRBG instance. */
204 extern RAND_METHOD rand_meth
;
206 /* How often we've forked (only incremented in child). */
207 extern int rand_fork_count
;
210 int rand_drbg_restart(RAND_DRBG
*drbg
,
211 const unsigned char *buffer
, size_t len
, size_t entropy
);
214 int rand_drbg_lock(RAND_DRBG
*drbg
);
215 int rand_drbg_unlock(RAND_DRBG
*drbg
);
216 int rand_drbg_enable_locking(RAND_DRBG
*drbg
);
219 /* initializes the AES-CTR DRBG implementation */
220 int drbg_ctr_init(RAND_DRBG
*drbg
);
projects / thirdparty / openssl.git / blob