2016-05-18 02:52:22 +08:00
|
|
|
/*
|
|
|
|
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
2000-07-20 05:43:23 +08:00
|
|
|
*
|
2016-05-18 02:52:22 +08:00
|
|
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
* https://www.openssl.org/source/license.html
|
2000-07-20 05:43:23 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef HEADER_RAND_LCL_H
|
2015-01-22 11:40:55 +08:00
|
|
|
# define HEADER_RAND_LCL_H
|
2000-07-20 05:43:23 +08:00
|
|
|
|
2017-06-28 00:04:37 +08:00
|
|
|
# include <openssl/aes.h>
|
|
|
|
# include <openssl/evp.h>
|
|
|
|
# include <openssl/sha.h>
|
|
|
|
# include <openssl/hmac.h>
|
|
|
|
# include <openssl/ec.h>
|
2017-07-20 17:58:28 +08:00
|
|
|
# include "internal/rand.h"
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-08 07:21:36 +08:00
|
|
|
/* How many times to read the TSC as a randomness source. */
|
|
|
|
# define TSC_READ_COUNT 4
|
|
|
|
|
2017-11-24 21:59:58 +08:00
|
|
|
/* Maximum reseed interval */
|
|
|
|
# define MAX_RESEED_INTERVAL (1 << 24)
|
|
|
|
|
|
|
|
/* Default reseed intervals */
|
|
|
|
# define MASTER_RESEED_INTERVAL (1 << 8)
|
|
|
|
# define SLAVE_RESEED_INTERVAL (1 << 16)
|
2017-07-20 05:41:26 +08:00
|
|
|
|
2017-09-01 05:16:22 +08:00
|
|
|
/* Max size of additional input and personalization string. */
|
|
|
|
# define DRBG_MAX_LENGTH 4096
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-09-01 05:16:22 +08:00
|
|
|
/*
|
|
|
|
* The quotient between max_{entropy,nonce}len and min_{entropy,nonce}len
|
|
|
|
*
|
|
|
|
* The current factor is large enough that the RAND_POOL can store a
|
|
|
|
* random input which has a lousy entropy rate of 0.0625 bits per byte.
|
|
|
|
* This input will be sent through the derivation function which 'compresses'
|
|
|
|
* the low quality input into a high quality output.
|
|
|
|
*/
|
|
|
|
# define DRBG_MINMAX_FACTOR 128
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
|
|
|
|
/* DRBG status values */
|
|
|
|
typedef enum drbg_status_e {
|
|
|
|
DRBG_UNINITIALISED,
|
|
|
|
DRBG_READY,
|
|
|
|
DRBG_ERROR
|
|
|
|
} DRBG_STATUS;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The state of a DRBG AES-CTR.
|
|
|
|
*/
|
|
|
|
typedef struct rand_drbg_ctr_st {
|
2017-06-28 00:04:37 +08:00
|
|
|
AES_KEY ks;
|
|
|
|
size_t keylen;
|
|
|
|
unsigned char K[32];
|
|
|
|
unsigned char V[16];
|
|
|
|
/* Temp variables used by derivation function */
|
|
|
|
AES_KEY df_ks;
|
|
|
|
AES_KEY df_kxks;
|
|
|
|
/* Temporary block storage used by ctr_df */
|
|
|
|
unsigned char bltmp[16];
|
|
|
|
size_t bltmp_pos;
|
|
|
|
unsigned char KX[48];
|
2017-08-03 21:23:28 +08:00
|
|
|
} RAND_DRBG_CTR;
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-07-18 21:39:21 +08:00
|
|
|
|
|
|
|
/*
|
2017-08-03 21:23:28 +08:00
|
|
|
* The state of all types of DRBGs, even though we only have CTR mode
|
|
|
|
* right now.
|
2017-07-18 21:39:21 +08:00
|
|
|
*/
|
2017-08-03 21:23:28 +08:00
|
|
|
struct rand_drbg_st {
|
2017-06-28 00:04:37 +08:00
|
|
|
CRYPTO_RWLOCK *lock;
|
2017-08-03 21:23:28 +08:00
|
|
|
RAND_DRBG *parent;
|
|
|
|
int nid; /* the underlying algorithm */
|
2017-08-07 06:12:28 +08:00
|
|
|
int fork_count;
|
2017-08-03 21:23:28 +08:00
|
|
|
unsigned short flags; /* various external flags */
|
2017-09-01 05:16:22 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/*
|
2017-09-01 05:16:22 +08:00
|
|
|
* The random pool is used by RAND_add()/drbg_add() to attach random
|
|
|
|
* data to the global drbg, such that the rand_drbg_get_entropy() callback
|
|
|
|
* can pull it during instantiation and reseeding. This is necessary to
|
|
|
|
* reconcile the different philosophies of the RAND and the RAND_DRBG
|
|
|
|
* with respect to how randomness is added to the RNG during reseeding
|
|
|
|
* (see PR #4328).
|
2017-08-03 21:23:28 +08:00
|
|
|
*/
|
2017-09-01 05:16:22 +08:00
|
|
|
RAND_POOL *pool;
|
2017-08-03 21:23:28 +08:00
|
|
|
|
2017-09-01 05:16:22 +08:00
|
|
|
/*
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
* The following parameters are setup by the per-type "init" function.
|
|
|
|
*
|
|
|
|
* Currently the only type is CTR_DRBG, its init function is ctr_init().
|
|
|
|
*
|
2017-09-01 05:16:22 +08:00
|
|
|
* The parameters are closely related to the ones described in
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
* section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one
|
|
|
|
* crucial difference: In the NIST standard, all counts are given
|
2017-09-01 05:16:22 +08:00
|
|
|
* in bits, whereas in OpenSSL entropy counts are given in bits
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
* and buffer lengths are given in bytes.
|
2017-09-01 05:16:22 +08:00
|
|
|
*
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
* Since this difference has lead to some confusion in the past,
|
|
|
|
* (see [GitHub Issue #2443], formerly [rt.openssl.org #4055])
|
2017-09-01 05:16:22 +08:00
|
|
|
* the 'len' suffix has been added to all buffer sizes for
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
* clarification.
|
|
|
|
*/
|
2017-09-01 05:16:22 +08:00
|
|
|
|
2017-06-28 00:04:37 +08:00
|
|
|
int strength;
|
|
|
|
size_t max_request;
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
size_t min_entropylen, max_entropylen;
|
|
|
|
size_t min_noncelen, max_noncelen;
|
|
|
|
size_t max_perslen, max_adinlen;
|
2017-11-24 21:59:58 +08:00
|
|
|
|
|
|
|
/* Counts the number of generate requests since the last reseed. */
|
|
|
|
unsigned int generate_counter;
|
|
|
|
/*
|
|
|
|
* Maximum number of generate requests until a reseed is required.
|
|
|
|
* This value is ignored if it is zero.
|
|
|
|
*/
|
2017-06-28 00:04:37 +08:00
|
|
|
unsigned int reseed_interval;
|
2017-11-24 21:59:58 +08:00
|
|
|
/*
|
|
|
|
* Counts the number of reseeds since instantiation.
|
|
|
|
* This value is ignored if it is zero.
|
|
|
|
*
|
|
|
|
* This counter is used only for seed propagation from the <master> DRBG
|
|
|
|
* to its two children, the <public> and <private> DRBG. This feature is
|
|
|
|
* very special and its sole purpose is to ensure that any randomness which
|
|
|
|
* is added by RAND_add() or RAND_seed() will have an immediate effect on
|
|
|
|
* the output of RAND_bytes() resp. RAND_priv_bytes().
|
|
|
|
*/
|
|
|
|
unsigned int reseed_counter;
|
|
|
|
|
2017-06-28 00:04:37 +08:00
|
|
|
size_t seedlen;
|
2017-08-03 21:23:28 +08:00
|
|
|
DRBG_STATUS state;
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/* Application data, mainly used in the KATs. */
|
2017-06-28 00:04:37 +08:00
|
|
|
CRYPTO_EX_DATA ex_data;
|
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/* Implementation specific structures; was a union, but inline for now */
|
|
|
|
RAND_DRBG_CTR ctr;
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/* Callback functions. See comments in rand_lib.c */
|
2017-07-20 06:32:08 +08:00
|
|
|
RAND_DRBG_get_entropy_fn get_entropy;
|
|
|
|
RAND_DRBG_cleanup_entropy_fn cleanup_entropy;
|
|
|
|
RAND_DRBG_get_nonce_fn get_nonce;
|
|
|
|
RAND_DRBG_cleanup_nonce_fn cleanup_nonce;
|
2017-06-28 00:04:37 +08:00
|
|
|
};
|
2017-06-22 21:21:43 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/* The global RAND method, and the global buffer and DRBG instance. */
|
|
|
|
extern RAND_METHOD rand_meth;
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-07 06:12:28 +08:00
|
|
|
/* How often we've forked (only incremented in child). */
|
|
|
|
extern int rand_fork_count;
|
|
|
|
|
2017-07-18 21:39:21 +08:00
|
|
|
/* Hardware-based seeding functions. */
|
2017-09-01 05:16:22 +08:00
|
|
|
size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool);
|
|
|
|
size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool);
|
2017-08-03 21:23:28 +08:00
|
|
|
|
|
|
|
/* DRBG entropy callbacks. */
|
2017-09-01 05:16:22 +08:00
|
|
|
size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
|
|
|
|
unsigned char **pout,
|
|
|
|
int entropy, size_t min_len, size_t max_len);
|
|
|
|
void rand_drbg_cleanup_entropy(RAND_DRBG *drbg,
|
|
|
|
unsigned char *out, size_t outlen);
|
|
|
|
|
|
|
|
/* DRBG helpers */
|
|
|
|
int rand_drbg_restart(RAND_DRBG *drbg,
|
|
|
|
const unsigned char *buffer, size_t len, size_t entropy);
|
2017-07-18 21:39:21 +08:00
|
|
|
|
|
|
|
/* DRBG functions implementing AES-CTR */
|
2017-08-03 21:23:28 +08:00
|
|
|
int ctr_init(RAND_DRBG *drbg);
|
|
|
|
int ctr_uninstantiate(RAND_DRBG *drbg);
|
|
|
|
int ctr_instantiate(RAND_DRBG *drbg,
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
const unsigned char *entropy, size_t entropylen,
|
2017-06-28 00:04:37 +08:00
|
|
|
const unsigned char *nonce, size_t noncelen,
|
|
|
|
const unsigned char *pers, size_t perslen);
|
2017-08-03 21:23:28 +08:00
|
|
|
int ctr_reseed(RAND_DRBG *drbg,
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
const unsigned char *entropy, size_t entropylen,
|
2017-06-28 00:04:37 +08:00
|
|
|
const unsigned char *adin, size_t adinlen);
|
2017-08-03 21:23:28 +08:00
|
|
|
int ctr_generate(RAND_DRBG *drbg,
|
2017-06-28 00:04:37 +08:00
|
|
|
unsigned char *out, size_t outlen,
|
|
|
|
const unsigned char *adin, size_t adinlen);
|
2000-07-20 05:43:23 +08:00
|
|
|
|
|
|
|
#endif
|