]>
Commit | Line | Data |
---|---|---|
b1322259 RS |
1 | /* |
2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. | |
8ad7635e | 3 | * |
b1322259 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8ad7635e UM |
8 | */ |
9 | ||
10 | #ifndef HEADER_RAND_LCL_H | |
0f113f3e | 11 | # define HEADER_RAND_LCL_H |
8ad7635e | 12 | |
12fb8c3d RS |
13 | # include <openssl/aes.h> |
14 | # include <openssl/evp.h> | |
15 | # include <openssl/sha.h> | |
16 | # include <openssl/hmac.h> | |
17 | # include <openssl/ec.h> | |
f2766f75 | 18 | # include "internal/rand.h" |
12fb8c3d | 19 | |
75e2c877 RS |
20 | /* |
21 | * Amount of randomness (in bytes) we want for initial seeding. | |
22 | * This is based on the fact that we use AES-128 as the CRBG, and | |
23 | * that we use the derivation function. If either of those changes, | |
24 | * (see rand_init() in rand_lib.c), change this. | |
25 | */ | |
26 | # define RANDOMNESS_NEEDED 16 | |
27 | ||
9ed79d8e RS |
28 | /* How many times to read the TSC as a randomness source. */ |
29 | # define TSC_READ_COUNT 4 | |
30 | ||
75e2c877 RS |
31 | /* Maximum amount of randomness to hold in RAND_BYTES_BUFFER. */ |
32 | # define MAX_RANDOMNESS_HELD (4 * RANDOMNESS_NEEDED) | |
8ad7635e | 33 | |
4c75ee85 | 34 | /* Maximum count allowed in reseeding */ |
75e2c877 | 35 | # define MAX_RESEED (1 << 24) |
4c75ee85 | 36 | |
75e2c877 RS |
37 | /* How often we call RAND_poll() in drbg_entropy_from_system */ |
38 | # define RAND_POLL_RETRIES 8 | |
12fb8c3d | 39 | |
75e2c877 | 40 | /* Max size of entropy, addin, etc. Larger than any reasonable value */ |
8389ec4b | 41 | # define DRBG_MAX_LENGTH 0x7ffffff0 |
12fb8c3d | 42 | |
75e2c877 RS |
43 | |
44 | /* DRBG status values */ | |
45 | typedef enum drbg_status_e { | |
46 | DRBG_UNINITIALISED, | |
47 | DRBG_READY, | |
48 | DRBG_RESEED, | |
49 | DRBG_ERROR | |
50 | } DRBG_STATUS; | |
51 | ||
52 | ||
8389ec4b | 53 | /* |
75e2c877 RS |
54 | * A buffer of random bytes to be fed as "entropy" into the DRBG. RAND_add() |
55 | * adds data to the buffer, and the drbg_entropy_from_system() pulls data from | |
56 | * the buffer. We have a separate data structure because of the way the | |
57 | * API is defined; otherwise we'd run into deadlocks (RAND_bytes -> | |
58 | * RAND_DRBG_generate* -> drbg_entropy_from_system -> RAND_poll -> RAND_add -> | |
59 | * drbg_add*; the functions with an asterisk lock). | |
8389ec4b | 60 | */ |
75e2c877 RS |
61 | typedef struct rand_bytes_buffer_st { |
62 | CRYPTO_RWLOCK *lock; | |
9ed79d8e | 63 | unsigned char *buff; |
75e2c877 RS |
64 | size_t size; |
65 | size_t curr; | |
9ed79d8e | 66 | int secure; |
75e2c877 RS |
67 | } RAND_BYTES_BUFFER; |
68 | ||
69 | /* | |
70 | * The state of a DRBG AES-CTR. | |
71 | */ | |
72 | typedef struct rand_drbg_ctr_st { | |
12fb8c3d RS |
73 | AES_KEY ks; |
74 | size_t keylen; | |
75 | unsigned char K[32]; | |
76 | unsigned char V[16]; | |
77 | /* Temp variables used by derivation function */ | |
78 | AES_KEY df_ks; | |
79 | AES_KEY df_kxks; | |
80 | /* Temporary block storage used by ctr_df */ | |
81 | unsigned char bltmp[16]; | |
82 | size_t bltmp_pos; | |
83 | unsigned char KX[48]; | |
75e2c877 | 84 | } RAND_DRBG_CTR; |
12fb8c3d | 85 | |
8389ec4b RS |
86 | |
87 | /* | |
75e2c877 RS |
88 | * The state of all types of DRBGs, even though we only have CTR mode |
89 | * right now. | |
8389ec4b | 90 | */ |
75e2c877 | 91 | struct rand_drbg_st { |
12fb8c3d | 92 | CRYPTO_RWLOCK *lock; |
75e2c877 RS |
93 | RAND_DRBG *parent; |
94 | int nid; /* the underlying algorithm */ | |
a35f607c | 95 | int fork_count; |
75e2c877 | 96 | unsigned short flags; /* various external flags */ |
9ed79d8e | 97 | char secure; |
75e2c877 RS |
98 | /* |
99 | * This is a fixed-size buffer, but we malloc to make it a little | |
100 | * harder to find; a classic security/performance trade-off. | |
101 | */ | |
102 | int size; | |
75e2c877 | 103 | |
aa048aef DMSP |
104 | /* |
105 | * The following parameters are setup by the per-type "init" function. | |
106 | * | |
107 | * Currently the only type is CTR_DRBG, its init function is ctr_init(). | |
108 | * | |
109 | * The parameters are closely related to the ones described in | |
110 | * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one | |
111 | * crucial difference: In the NIST standard, all counts are given | |
112 | * in bits, whereas in OpenSSL entropy counts are given in bits | |
113 | * and buffer lengths are given in bytes. | |
114 | * | |
115 | * Since this difference has lead to some confusion in the past, | |
116 | * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) | |
117 | * the 'len' suffix has been added to all buffer sizes for | |
118 | * clarification. | |
119 | */ | |
120 | ||
12fb8c3d | 121 | int strength; |
12fb8c3d | 122 | size_t max_request; |
aa048aef DMSP |
123 | size_t min_entropylen, max_entropylen; |
124 | size_t min_noncelen, max_noncelen; | |
125 | size_t max_perslen, max_adinlen; | |
12fb8c3d RS |
126 | unsigned int reseed_counter; |
127 | unsigned int reseed_interval; | |
128 | size_t seedlen; | |
75e2c877 | 129 | DRBG_STATUS state; |
12fb8c3d | 130 | |
75e2c877 | 131 | /* Application data, mainly used in the KATs. */ |
12fb8c3d RS |
132 | CRYPTO_EX_DATA ex_data; |
133 | ||
75e2c877 RS |
134 | /* Implementation specific structures; was a union, but inline for now */ |
135 | RAND_DRBG_CTR ctr; | |
12fb8c3d | 136 | |
75e2c877 | 137 | /* Callback functions. See comments in rand_lib.c */ |
16960a9b | 138 | RAND_DRBG_get_entropy_fn get_entropy; |
16960a9b | 139 | RAND_DRBG_cleanup_entropy_fn cleanup_entropy; |
16960a9b | 140 | RAND_DRBG_get_nonce_fn get_nonce; |
16960a9b | 141 | RAND_DRBG_cleanup_nonce_fn cleanup_nonce; |
12fb8c3d | 142 | }; |
da8fc25a | 143 | |
75e2c877 RS |
144 | /* The global RAND method, and the global buffer and DRBG instance. */ |
145 | extern RAND_METHOD rand_meth; | |
146 | extern RAND_BYTES_BUFFER rand_bytes; | |
12fb8c3d | 147 | |
a35f607c RS |
148 | /* How often we've forked (only incremented in child). */ |
149 | extern int rand_fork_count; | |
150 | ||
8389ec4b | 151 | /* Hardware-based seeding functions. */ |
4871fa49 DMSP |
152 | void rand_read_tsc(RAND_poll_cb rand_add, void *arg); |
153 | int rand_read_cpu(RAND_poll_cb rand_add, void *arg); | |
75e2c877 RS |
154 | |
155 | /* DRBG entropy callbacks. */ | |
6969a3f4 | 156 | void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out, size_t outlen); |
75e2c877 RS |
157 | size_t drbg_entropy_from_parent(RAND_DRBG *drbg, |
158 | unsigned char **pout, | |
159 | int entropy, size_t min_len, size_t max_len); | |
160 | size_t drbg_entropy_from_system(RAND_DRBG *drbg, | |
161 | unsigned char **pout, | |
162 | int entropy, size_t min_len, size_t max_len); | |
8389ec4b RS |
163 | |
164 | /* DRBG functions implementing AES-CTR */ | |
75e2c877 RS |
165 | int ctr_init(RAND_DRBG *drbg); |
166 | int ctr_uninstantiate(RAND_DRBG *drbg); | |
167 | int ctr_instantiate(RAND_DRBG *drbg, | |
aa048aef | 168 | const unsigned char *entropy, size_t entropylen, |
12fb8c3d RS |
169 | const unsigned char *nonce, size_t noncelen, |
170 | const unsigned char *pers, size_t perslen); | |
75e2c877 | 171 | int ctr_reseed(RAND_DRBG *drbg, |
aa048aef | 172 | const unsigned char *entropy, size_t entropylen, |
12fb8c3d | 173 | const unsigned char *adin, size_t adinlen); |
75e2c877 | 174 | int ctr_generate(RAND_DRBG *drbg, |
12fb8c3d RS |
175 | unsigned char *out, size_t outlen, |
176 | const unsigned char *adin, size_t adinlen); | |
8ad7635e UM |
177 | |
178 | #endif |