crypto/rand/rand_lcl.h

   1 /*
   2  * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the OpenSSL license (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #ifndef HEADER_RAND_LCL_H
  11 # define HEADER_RAND_LCL_H
  12
  13 # include <openssl/aes.h>
  14 # include <openssl/evp.h>
  15 # include <openssl/sha.h>
  16 # include <openssl/hmac.h>
  17 # include <openssl/ec.h>
  18 # include "internal/rand.h"
  19
  20 /*
  21  * Amount of randomness (in bytes) we want for initial seeding.
  22  * This is based on the fact that we use AES-128 as the CRBG, and
  23  * that we use the derivation function.  If either of those changes,
  24  * (see rand_init() in rand_lib.c), change this.
  25  */
  26 # define RANDOMNESS_NEEDED              16
  27
  28 /* Maximum amount of randomness to hold in RAND_BYTES_BUFFER. */
  29 # define MAX_RANDOMNESS_HELD            (4 * RANDOMNESS_NEEDED)
  30
  31 /* Maximum count allowed in reseeding */
  32 # define MAX_RESEED                     (1 << 24)
  33
  34 /* How often we call RAND_poll() in drbg_entropy_from_system */
  35 # define RAND_POLL_RETRIES 8
  36
  37 /* Max size of entropy, addin, etc. Larger than any reasonable value */
  38 # define DRBG_MAX_LENGTH                0x7ffffff0
  39
  40
  41 /* DRBG status values */
  42 typedef enum drbg_status_e {
  43     DRBG_UNINITIALISED,
  44     DRBG_READY,
  45     DRBG_RESEED,
  46     DRBG_ERROR
  47 } DRBG_STATUS;
  48
  49
  50 /*
  51  * A buffer of random bytes to be fed as "entropy" into the DRBG.  RAND_add()
  52  * adds data to the buffer, and the drbg_entropy_from_system() pulls data from
  53  * the buffer. We have a separate data structure because of the way the
  54  * API is defined; otherwise we'd run into deadlocks (RAND_bytes ->
  55  * RAND_DRBG_generate* -> drbg_entropy_from_system -> RAND_poll -> RAND_add ->
  56  * drbg_add*; the functions with an asterisk lock).
  57  */
  58 typedef struct rand_bytes_buffer_st {
  59     CRYPTO_RWLOCK *lock;
  60     size_t size;
  61     size_t curr;
  62     unsigned char *buff;
  63 } RAND_BYTES_BUFFER;
  64
  65 /*
  66  * The state of a DRBG AES-CTR.
  67  */
  68 typedef struct rand_drbg_ctr_st {
  69     AES_KEY ks;
  70     size_t keylen;
  71     unsigned char K[32];
  72     unsigned char V[16];
  73     /* Temp variables used by derivation function */
  74     AES_KEY df_ks;
  75     AES_KEY df_kxks;
  76     /* Temporary block storage used by ctr_df */
  77     unsigned char bltmp[16];
  78     size_t bltmp_pos;
  79     unsigned char KX[48];
  80 } RAND_DRBG_CTR;
  81
  82
  83 /*
  84  * The state of all types of DRBGs, even though we only have CTR mode
  85  * right now.
  86  */
  87 struct rand_drbg_st {
  88     CRYPTO_RWLOCK *lock;
  89     RAND_DRBG *parent;
  90     int nid; /* the underlying algorithm */
  91     unsigned short flags; /* various external flags */
  92     unsigned short filled;
  93     /*
  94      * This is a fixed-size buffer, but we malloc to make it a little
  95      * harder to find; a classic security/performance trade-off.
  96      */
  97     int size;
  98     unsigned char *randomness;
  99
 100     /* These parameters are setup by the per-type "init" function. */
 101     int strength;
 102     size_t max_request;
 103     size_t min_entropy, max_entropy;
 104     size_t min_nonce, max_nonce;
 105     size_t max_pers, max_adin;
 106     unsigned int reseed_counter;
 107     unsigned int reseed_interval;
 108     size_t seedlen;
 109     DRBG_STATUS state;
 110
 111     /* Application data, mainly used in the KATs. */
 112     CRYPTO_EX_DATA ex_data;
 113
 114     /* Implementation specific structures; was a union, but inline for now */
 115     RAND_DRBG_CTR ctr;
 116
 117     /* Callback functions.  See comments in rand_lib.c */
 118     RAND_DRBG_get_entropy_fn get_entropy;
 119     RAND_DRBG_cleanup_entropy_fn cleanup_entropy;
 120     RAND_DRBG_get_nonce_fn get_nonce;
 121     RAND_DRBG_cleanup_nonce_fn cleanup_nonce;
 122 };
 123
 124 /* The global RAND method, and the global buffer and DRBG instance. */
 125 extern RAND_METHOD rand_meth;
 126 extern RAND_BYTES_BUFFER rand_bytes;
 127 extern RAND_DRBG rand_drbg;
 128 extern RAND_DRBG priv_drbg;
 129
 130 /* Hardware-based seeding functions. */
 131 void rand_read_tsc(RAND_poll_fn cb, void *arg);
 132 int rand_read_cpu(RAND_poll_fn cb, void *arg);
 133
 134 /* DRBG entropy callbacks. */
 135 void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out);
 136 size_t drbg_entropy_from_parent(RAND_DRBG *drbg,
 137                                 unsigned char **pout,
 138                                 int entropy, size_t min_len, size_t max_len);
 139 size_t drbg_entropy_from_system(RAND_DRBG *drbg,
 140                                 unsigned char **pout,
 141                                 int entropy, size_t min_len, size_t max_len);
 142
 143 /* DRBG functions implementing AES-CTR */
 144 int ctr_init(RAND_DRBG *drbg);
 145 int ctr_uninstantiate(RAND_DRBG *drbg);
 146 int ctr_instantiate(RAND_DRBG *drbg,
 147                     const unsigned char *ent, size_t entlen,
 148                     const unsigned char *nonce, size_t noncelen,
 149                     const unsigned char *pers, size_t perslen);
 150 int ctr_reseed(RAND_DRBG *drbg,
 151                const unsigned char *ent, size_t entlen,
 152                const unsigned char *adin, size_t adinlen);
 153 int ctr_generate(RAND_DRBG *drbg,
 154                  unsigned char *out, size_t outlen,
 155                  const unsigned char *adin, size_t adinlen);
 156
 157 #endif