]>
Commit | Line | Data |
---|---|---|
b1322259 | 1 | /* |
3c7d0945 | 2 | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. |
8ad7635e | 3 | * |
b1322259 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8ad7635e UM |
8 | */ |
9 | ||
10 | #ifndef HEADER_RAND_LCL_H | |
0f113f3e | 11 | # define HEADER_RAND_LCL_H |
8ad7635e | 12 | |
12fb8c3d RS |
13 | # include <openssl/aes.h> |
14 | # include <openssl/evp.h> | |
15 | # include <openssl/sha.h> | |
16 | # include <openssl/hmac.h> | |
17 | # include <openssl/ec.h> | |
f2766f75 | 18 | # include "internal/rand.h" |
12fb8c3d | 19 | |
9ed79d8e RS |
20 | /* How many times to read the TSC as a randomness source. */ |
21 | # define TSC_READ_COUNT 4 | |
22 | ||
08a65d96 | 23 | /* Maximum reseed intervals */ |
a93ba405 | 24 | # define MAX_RESEED_INTERVAL (1 << 24) |
08a65d96 | 25 | # define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */ |
a93ba405 DMSP |
26 | |
27 | /* Default reseed intervals */ | |
28 | # define MASTER_RESEED_INTERVAL (1 << 8) | |
29 | # define SLAVE_RESEED_INTERVAL (1 << 16) | |
08a65d96 DMSP |
30 | # define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ |
31 | # define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ | |
32 | ||
33 | ||
4c75ee85 | 34 | |
c16de9d8 DMSP |
35 | /* Max size of additional input and personalization string. */ |
36 | # define DRBG_MAX_LENGTH 4096 | |
12fb8c3d | 37 | |
c16de9d8 DMSP |
38 | /* |
39 | * The quotient between max_{entropy,nonce}len and min_{entropy,nonce}len | |
40 | * | |
41 | * The current factor is large enough that the RAND_POOL can store a | |
42 | * random input which has a lousy entropy rate of 0.0625 bits per byte. | |
43 | * This input will be sent through the derivation function which 'compresses' | |
44 | * the low quality input into a high quality output. | |
45 | */ | |
46 | # define DRBG_MINMAX_FACTOR 128 | |
12fb8c3d | 47 | |
75e2c877 RS |
48 | |
49 | /* DRBG status values */ | |
50 | typedef enum drbg_status_e { | |
51 | DRBG_UNINITIALISED, | |
52 | DRBG_READY, | |
75e2c877 RS |
53 | DRBG_ERROR |
54 | } DRBG_STATUS; | |
55 | ||
56 | ||
8212d505 DMSP |
57 | /* intantiate */ |
58 | typedef int (*RAND_DRBG_instantiate_fn)(RAND_DRBG *ctx, | |
59 | const unsigned char *ent, | |
60 | size_t entlen, | |
61 | const unsigned char *nonce, | |
62 | size_t noncelen, | |
63 | const unsigned char *pers, | |
64 | size_t perslen); | |
65 | /* reseed */ | |
66 | typedef int (*RAND_DRBG_reseed_fn)(RAND_DRBG *ctx, | |
67 | const unsigned char *ent, | |
68 | size_t entlen, | |
69 | const unsigned char *adin, | |
70 | size_t adinlen); | |
71 | /* generat output */ | |
72 | typedef int (*RAND_DRBG_generate_fn)(RAND_DRBG *ctx, | |
73 | unsigned char *out, | |
74 | size_t outlen, | |
75 | const unsigned char *adin, | |
76 | size_t adinlen); | |
77 | /* uninstantiate */ | |
78 | typedef int (*RAND_DRBG_uninstantiate_fn)(RAND_DRBG *ctx); | |
79 | ||
80 | ||
81 | /* | |
82 | * The DRBG methods | |
83 | */ | |
84 | ||
85 | typedef struct rand_drbg_method_st { | |
86 | RAND_DRBG_instantiate_fn instantiate; | |
87 | RAND_DRBG_reseed_fn reseed; | |
88 | RAND_DRBG_generate_fn generate; | |
89 | RAND_DRBG_uninstantiate_fn uninstantiate; | |
90 | } RAND_DRBG_METHOD; | |
91 | ||
92 | ||
75e2c877 RS |
93 | /* |
94 | * The state of a DRBG AES-CTR. | |
95 | */ | |
96 | typedef struct rand_drbg_ctr_st { | |
12fb8c3d RS |
97 | AES_KEY ks; |
98 | size_t keylen; | |
99 | unsigned char K[32]; | |
100 | unsigned char V[16]; | |
101 | /* Temp variables used by derivation function */ | |
102 | AES_KEY df_ks; | |
103 | AES_KEY df_kxks; | |
104 | /* Temporary block storage used by ctr_df */ | |
105 | unsigned char bltmp[16]; | |
106 | size_t bltmp_pos; | |
107 | unsigned char KX[48]; | |
75e2c877 | 108 | } RAND_DRBG_CTR; |
12fb8c3d | 109 | |
8389ec4b RS |
110 | |
111 | /* | |
75e2c877 RS |
112 | * The state of all types of DRBGs, even though we only have CTR mode |
113 | * right now. | |
8389ec4b | 114 | */ |
75e2c877 | 115 | struct rand_drbg_st { |
12fb8c3d | 116 | CRYPTO_RWLOCK *lock; |
75e2c877 RS |
117 | RAND_DRBG *parent; |
118 | int nid; /* the underlying algorithm */ | |
a35f607c | 119 | int fork_count; |
75e2c877 | 120 | unsigned short flags; /* various external flags */ |
c16de9d8 | 121 | |
75e2c877 | 122 | /* |
c16de9d8 DMSP |
123 | * The random pool is used by RAND_add()/drbg_add() to attach random |
124 | * data to the global drbg, such that the rand_drbg_get_entropy() callback | |
125 | * can pull it during instantiation and reseeding. This is necessary to | |
126 | * reconcile the different philosophies of the RAND and the RAND_DRBG | |
127 | * with respect to how randomness is added to the RNG during reseeding | |
128 | * (see PR #4328). | |
75e2c877 | 129 | */ |
c16de9d8 | 130 | RAND_POOL *pool; |
75e2c877 | 131 | |
c16de9d8 | 132 | /* |
aa048aef DMSP |
133 | * The following parameters are setup by the per-type "init" function. |
134 | * | |
8212d505 | 135 | * Currently the only type is CTR_DRBG, its init function is drbg_ctr_init(). |
aa048aef | 136 | * |
c16de9d8 | 137 | * The parameters are closely related to the ones described in |
aa048aef DMSP |
138 | * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one |
139 | * crucial difference: In the NIST standard, all counts are given | |
c16de9d8 | 140 | * in bits, whereas in OpenSSL entropy counts are given in bits |
aa048aef | 141 | * and buffer lengths are given in bytes. |
c16de9d8 | 142 | * |
aa048aef DMSP |
143 | * Since this difference has lead to some confusion in the past, |
144 | * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) | |
c16de9d8 | 145 | * the 'len' suffix has been added to all buffer sizes for |
aa048aef DMSP |
146 | * clarification. |
147 | */ | |
c16de9d8 | 148 | |
12fb8c3d | 149 | int strength; |
12fb8c3d | 150 | size_t max_request; |
aa048aef DMSP |
151 | size_t min_entropylen, max_entropylen; |
152 | size_t min_noncelen, max_noncelen; | |
153 | size_t max_perslen, max_adinlen; | |
a93ba405 DMSP |
154 | |
155 | /* Counts the number of generate requests since the last reseed. */ | |
156 | unsigned int generate_counter; | |
157 | /* | |
158 | * Maximum number of generate requests until a reseed is required. | |
159 | * This value is ignored if it is zero. | |
160 | */ | |
12fb8c3d | 161 | unsigned int reseed_interval; |
08a65d96 DMSP |
162 | /* Stores the time when the last reseeding occurred */ |
163 | time_t reseed_time; | |
164 | /* | |
165 | * Specifies the maximum time interval (in seconds) between reseeds. | |
166 | * This value is ignored if it is zero. | |
167 | */ | |
168 | time_t reseed_time_interval; | |
a93ba405 DMSP |
169 | /* |
170 | * Counts the number of reseeds since instantiation. | |
171 | * This value is ignored if it is zero. | |
172 | * | |
173 | * This counter is used only for seed propagation from the <master> DRBG | |
174 | * to its two children, the <public> and <private> DRBG. This feature is | |
175 | * very special and its sole purpose is to ensure that any randomness which | |
176 | * is added by RAND_add() or RAND_seed() will have an immediate effect on | |
177 | * the output of RAND_bytes() resp. RAND_priv_bytes(). | |
178 | */ | |
179 | unsigned int reseed_counter; | |
180 | ||
12fb8c3d | 181 | size_t seedlen; |
75e2c877 | 182 | DRBG_STATUS state; |
12fb8c3d | 183 | |
75e2c877 | 184 | /* Application data, mainly used in the KATs. */ |
12fb8c3d RS |
185 | CRYPTO_EX_DATA ex_data; |
186 | ||
8212d505 DMSP |
187 | /* Implementation specific data (currently only one implementation) */ |
188 | union { | |
189 | RAND_DRBG_CTR ctr; | |
190 | } data; | |
191 | ||
192 | /* Implementation specific methods */ | |
193 | RAND_DRBG_METHOD *meth; | |
12fb8c3d | 194 | |
75e2c877 | 195 | /* Callback functions. See comments in rand_lib.c */ |
16960a9b | 196 | RAND_DRBG_get_entropy_fn get_entropy; |
16960a9b | 197 | RAND_DRBG_cleanup_entropy_fn cleanup_entropy; |
16960a9b | 198 | RAND_DRBG_get_nonce_fn get_nonce; |
16960a9b | 199 | RAND_DRBG_cleanup_nonce_fn cleanup_nonce; |
12fb8c3d | 200 | }; |
da8fc25a | 201 | |
75e2c877 RS |
202 | /* The global RAND method, and the global buffer and DRBG instance. */ |
203 | extern RAND_METHOD rand_meth; | |
12fb8c3d | 204 | |
a35f607c RS |
205 | /* How often we've forked (only incremented in child). */ |
206 | extern int rand_fork_count; | |
207 | ||
8389ec4b | 208 | /* Hardware-based seeding functions. */ |
c16de9d8 DMSP |
209 | size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool); |
210 | size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool); | |
75e2c877 RS |
211 | |
212 | /* DRBG entropy callbacks. */ | |
c16de9d8 DMSP |
213 | size_t rand_drbg_get_entropy(RAND_DRBG *drbg, |
214 | unsigned char **pout, | |
215 | int entropy, size_t min_len, size_t max_len); | |
216 | void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, | |
217 | unsigned char *out, size_t outlen); | |
20928ff6 | 218 | size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len); |
c16de9d8 DMSP |
219 | |
220 | /* DRBG helpers */ | |
221 | int rand_drbg_restart(RAND_DRBG *drbg, | |
222 | const unsigned char *buffer, size_t len, size_t entropy); | |
8389ec4b | 223 | |
8212d505 DMSP |
224 | /* initializes the AES-CTR DRBG implementation */ |
225 | int drbg_ctr_init(RAND_DRBG *drbg); | |
8ad7635e UM |
226 | |
227 | #endif |