2016-05-18 02:52:22 +08:00
|
|
|
/*
|
|
|
|
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
2000-07-20 05:43:23 +08:00
|
|
|
*
|
2016-05-18 02:52:22 +08:00
|
|
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
* https://www.openssl.org/source/license.html
|
2000-07-20 05:43:23 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef HEADER_RAND_LCL_H
|
2015-01-22 11:40:55 +08:00
|
|
|
# define HEADER_RAND_LCL_H
|
2000-07-20 05:43:23 +08:00
|
|
|
|
2017-06-28 00:04:37 +08:00
|
|
|
# include <openssl/aes.h>
|
|
|
|
# include <openssl/evp.h>
|
|
|
|
# include <openssl/sha.h>
|
|
|
|
# include <openssl/hmac.h>
|
|
|
|
# include <openssl/ec.h>
|
2017-07-20 17:58:28 +08:00
|
|
|
# include "internal/rand.h"
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/*
|
|
|
|
* Amount of randomness (in bytes) we want for initial seeding.
|
|
|
|
* This is based on the fact that we use AES-128 as the CRBG, and
|
|
|
|
* that we use the derivation function. If either of those changes,
|
|
|
|
* (see rand_init() in rand_lib.c), change this.
|
|
|
|
*/
|
|
|
|
# define RANDOMNESS_NEEDED 16
|
|
|
|
|
2017-08-08 07:21:36 +08:00
|
|
|
/* How many times to read the TSC as a randomness source. */
|
|
|
|
# define TSC_READ_COUNT 4
|
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/* Maximum amount of randomness to hold in RAND_BYTES_BUFFER. */
|
|
|
|
# define MAX_RANDOMNESS_HELD (4 * RANDOMNESS_NEEDED)
|
2000-07-20 05:43:23 +08:00
|
|
|
|
2017-07-20 05:41:26 +08:00
|
|
|
/* Maximum count allowed in reseeding */
|
2017-08-03 21:23:28 +08:00
|
|
|
# define MAX_RESEED (1 << 24)
|
2017-07-20 05:41:26 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/* How often we call RAND_poll() in drbg_entropy_from_system */
|
|
|
|
# define RAND_POLL_RETRIES 8
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/* Max size of entropy, addin, etc. Larger than any reasonable value */
|
2017-07-18 21:39:21 +08:00
|
|
|
# define DRBG_MAX_LENGTH 0x7ffffff0
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
|
|
|
|
/* DRBG status values */
|
|
|
|
typedef enum drbg_status_e {
|
|
|
|
DRBG_UNINITIALISED,
|
|
|
|
DRBG_READY,
|
|
|
|
DRBG_RESEED,
|
|
|
|
DRBG_ERROR
|
|
|
|
} DRBG_STATUS;
|
|
|
|
|
|
|
|
|
2017-07-18 21:39:21 +08:00
|
|
|
/*
|
2017-08-03 21:23:28 +08:00
|
|
|
* A buffer of random bytes to be fed as "entropy" into the DRBG. RAND_add()
|
|
|
|
* adds data to the buffer, and the drbg_entropy_from_system() pulls data from
|
|
|
|
* the buffer. We have a separate data structure because of the way the
|
|
|
|
* API is defined; otherwise we'd run into deadlocks (RAND_bytes ->
|
|
|
|
* RAND_DRBG_generate* -> drbg_entropy_from_system -> RAND_poll -> RAND_add ->
|
|
|
|
* drbg_add*; the functions with an asterisk lock).
|
2017-07-18 21:39:21 +08:00
|
|
|
*/
|
2017-08-03 21:23:28 +08:00
|
|
|
typedef struct rand_bytes_buffer_st {
|
|
|
|
CRYPTO_RWLOCK *lock;
|
2017-08-08 07:21:36 +08:00
|
|
|
unsigned char *buff;
|
2017-08-03 21:23:28 +08:00
|
|
|
size_t size;
|
|
|
|
size_t curr;
|
2017-08-08 07:21:36 +08:00
|
|
|
int secure;
|
2017-08-03 21:23:28 +08:00
|
|
|
} RAND_BYTES_BUFFER;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The state of a DRBG AES-CTR.
|
|
|
|
*/
|
|
|
|
typedef struct rand_drbg_ctr_st {
|
2017-06-28 00:04:37 +08:00
|
|
|
AES_KEY ks;
|
|
|
|
size_t keylen;
|
|
|
|
unsigned char K[32];
|
|
|
|
unsigned char V[16];
|
|
|
|
/* Temp variables used by derivation function */
|
|
|
|
AES_KEY df_ks;
|
|
|
|
AES_KEY df_kxks;
|
|
|
|
/* Temporary block storage used by ctr_df */
|
|
|
|
unsigned char bltmp[16];
|
|
|
|
size_t bltmp_pos;
|
|
|
|
unsigned char KX[48];
|
2017-08-03 21:23:28 +08:00
|
|
|
} RAND_DRBG_CTR;
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-07-18 21:39:21 +08:00
|
|
|
|
|
|
|
/*
|
2017-08-03 21:23:28 +08:00
|
|
|
* The state of all types of DRBGs, even though we only have CTR mode
|
|
|
|
* right now.
|
2017-07-18 21:39:21 +08:00
|
|
|
*/
|
2017-08-03 21:23:28 +08:00
|
|
|
struct rand_drbg_st {
|
2017-06-28 00:04:37 +08:00
|
|
|
CRYPTO_RWLOCK *lock;
|
2017-08-03 21:23:28 +08:00
|
|
|
RAND_DRBG *parent;
|
|
|
|
int nid; /* the underlying algorithm */
|
2017-08-07 06:12:28 +08:00
|
|
|
int fork_count;
|
2017-08-03 21:23:28 +08:00
|
|
|
unsigned short flags; /* various external flags */
|
2017-08-08 07:21:36 +08:00
|
|
|
char filled;
|
|
|
|
char secure;
|
2017-08-03 21:23:28 +08:00
|
|
|
/*
|
|
|
|
* This is a fixed-size buffer, but we malloc to make it a little
|
|
|
|
* harder to find; a classic security/performance trade-off.
|
|
|
|
*/
|
|
|
|
int size;
|
|
|
|
unsigned char *randomness;
|
|
|
|
|
|
|
|
/* These parameters are setup by the per-type "init" function. */
|
2017-06-28 00:04:37 +08:00
|
|
|
int strength;
|
|
|
|
size_t max_request;
|
|
|
|
size_t min_entropy, max_entropy;
|
|
|
|
size_t min_nonce, max_nonce;
|
|
|
|
size_t max_pers, max_adin;
|
|
|
|
unsigned int reseed_counter;
|
|
|
|
unsigned int reseed_interval;
|
|
|
|
size_t seedlen;
|
2017-08-03 21:23:28 +08:00
|
|
|
DRBG_STATUS state;
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/* Application data, mainly used in the KATs. */
|
2017-06-28 00:04:37 +08:00
|
|
|
CRYPTO_EX_DATA ex_data;
|
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/* Implementation specific structures; was a union, but inline for now */
|
|
|
|
RAND_DRBG_CTR ctr;
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/* Callback functions. See comments in rand_lib.c */
|
2017-07-20 06:32:08 +08:00
|
|
|
RAND_DRBG_get_entropy_fn get_entropy;
|
|
|
|
RAND_DRBG_cleanup_entropy_fn cleanup_entropy;
|
|
|
|
RAND_DRBG_get_nonce_fn get_nonce;
|
|
|
|
RAND_DRBG_cleanup_nonce_fn cleanup_nonce;
|
2017-06-28 00:04:37 +08:00
|
|
|
};
|
2017-06-22 21:21:43 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
/* The global RAND method, and the global buffer and DRBG instance. */
|
|
|
|
extern RAND_METHOD rand_meth;
|
|
|
|
extern RAND_BYTES_BUFFER rand_bytes;
|
|
|
|
extern RAND_DRBG rand_drbg;
|
2017-08-03 02:00:52 +08:00
|
|
|
extern RAND_DRBG priv_drbg;
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-07 06:12:28 +08:00
|
|
|
/* How often we've forked (only incremented in child). */
|
|
|
|
extern int rand_fork_count;
|
|
|
|
|
2017-07-18 21:39:21 +08:00
|
|
|
/* Hardware-based seeding functions. */
|
2017-08-03 21:23:28 +08:00
|
|
|
void rand_read_tsc(RAND_poll_fn cb, void *arg);
|
|
|
|
int rand_read_cpu(RAND_poll_fn cb, void *arg);
|
|
|
|
|
|
|
|
/* DRBG entropy callbacks. */
|
|
|
|
void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out);
|
|
|
|
size_t drbg_entropy_from_parent(RAND_DRBG *drbg,
|
|
|
|
unsigned char **pout,
|
|
|
|
int entropy, size_t min_len, size_t max_len);
|
|
|
|
size_t drbg_entropy_from_system(RAND_DRBG *drbg,
|
|
|
|
unsigned char **pout,
|
|
|
|
int entropy, size_t min_len, size_t max_len);
|
2017-07-18 21:39:21 +08:00
|
|
|
|
|
|
|
/* DRBG functions implementing AES-CTR */
|
2017-08-03 21:23:28 +08:00
|
|
|
int ctr_init(RAND_DRBG *drbg);
|
|
|
|
int ctr_uninstantiate(RAND_DRBG *drbg);
|
|
|
|
int ctr_instantiate(RAND_DRBG *drbg,
|
2017-06-28 00:04:37 +08:00
|
|
|
const unsigned char *ent, size_t entlen,
|
|
|
|
const unsigned char *nonce, size_t noncelen,
|
|
|
|
const unsigned char *pers, size_t perslen);
|
2017-08-03 21:23:28 +08:00
|
|
|
int ctr_reseed(RAND_DRBG *drbg,
|
2017-06-28 00:04:37 +08:00
|
|
|
const unsigned char *ent, size_t entlen,
|
|
|
|
const unsigned char *adin, size_t adinlen);
|
2017-08-03 21:23:28 +08:00
|
|
|
int ctr_generate(RAND_DRBG *drbg,
|
2017-06-28 00:04:37 +08:00
|
|
|
unsigned char *out, size_t outlen,
|
|
|
|
const unsigned char *adin, size_t adinlen);
|
2000-07-20 05:43:23 +08:00
|
|
|
|
|
|
|
#endif
|