diff options
Diffstat (limited to 'crypto/rand/rand_local.h')
-rw-r--r-- | crypto/rand/rand_local.h | 244 |
1 files changed, 5 insertions, 239 deletions
diff --git a/crypto/rand/rand_local.h b/crypto/rand/rand_local.h index 76e50fa2fa..85158df76f 100644 --- a/crypto/rand/rand_local.h +++ b/crypto/rand/rand_local.h @@ -18,12 +18,10 @@ # include <openssl/rand_drbg.h> # include "internal/tsan_assist.h" # include "crypto/rand.h" +# include "crypto/rand_pool.h" # include "internal/numbers.h" -/* How many times to read the TSC as a randomness source. */ -# define TSC_READ_COUNT 4 - /* Maximum reseed intervals */ # define MAX_RESEED_INTERVAL (1 << 24) # define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */ @@ -31,8 +29,8 @@ /* Default reseed intervals */ # define MASTER_RESEED_INTERVAL (1 << 8) # define SLAVE_RESEED_INTERVAL (1 << 16) -# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ -# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ +# define MASTER_RESEED_TIME_INTERVAL (60 * 60) /* 1 hour */ +# define SLAVE_RESEED_TIME_INTERVAL (7 * 60) /* 7 minutes */ /* * The number of bytes that constitutes an atomic lump of entropy with respect @@ -53,60 +51,6 @@ */ # define DRBG_MAX_LENGTH INT32_MAX -/* The default nonce */ -#ifdef CHARSET_EBCDIC -# define DRBG_DEFAULT_PERS_STRING { 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, \ - 0x4c, 0x20, 0x4e, 0x49, 0x53, 0x54, 0x20, 0x53, 0x50, 0x20, 0x38, 0x30, \ - 0x30, 0x2d, 0x39, 0x30, 0x41, 0x20, 0x44, 0x52, 0x42, 0x47, 0x00}; -#else -# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" -#endif - -/* - * Maximum allocation size for RANDOM_POOL buffers - * - * The max_len value for the buffer provided to the rand_drbg_get_entropy() - * callback is currently 2^31 bytes (2 gigabytes), if a derivation function - * is used. Since this is much too large to be allocated, the rand_pool_new() - * function chooses more modest values as default pool length, bounded - * by RAND_POOL_MIN_LENGTH and RAND_POOL_MAX_LENGTH - * - * The choice of the RAND_POOL_FACTOR is large enough such that the - * RAND_POOL can store a random input which has a lousy entropy rate of - * 8/256 (= 0.03125) bits per byte. This input will be sent through the - * derivation function which 'compresses' the low quality input into a - * high quality output. - * - * The factor 1.5 below is the pessimistic estimate for the extra amount - * of entropy required when no get_nonce() callback is defined. - */ -# define RAND_POOL_FACTOR 256 -# define RAND_POOL_MAX_LENGTH (RAND_POOL_FACTOR * \ - 3 * (RAND_DRBG_STRENGTH / 16)) -/* - * = (RAND_POOL_FACTOR * \ - * 1.5 * (RAND_DRBG_STRENGTH / 8)) - */ - -/* - * Initial allocation minimum. - * - * There is a distinction between the secure and normal allocation minimums. - * Ideally, the secure allocation size should be a power of two. The normal - * allocation size doesn't have any such restriction. - * - * The secure value is based on 128 bits of secure material, which is 16 bytes. - * Typically, the DRBGs will set a minimum larger than this so optimal - * allocation ought to take place (for full quality seed material). - * - * The normal value has been chosen by noticing that the rand_drbg_get_nonce - * function is usually the largest of the built in allocation (twenty four - * bytes and then appending another sixteen bytes). This means the buffer ends - * with 40 bytes. The value of forty eight is comfortably above this which - * allows some slack in the platform specific values used. - */ -# define RAND_POOL_MIN_ALLOCATION(secure) ((secure) ? 16 : 48) - /* DRBG status values */ typedef enum drbg_status_e { DRBG_UNINITIALISED, @@ -114,7 +58,6 @@ typedef enum drbg_status_e { DRBG_ERROR } DRBG_STATUS; - /* instantiate */ typedef int (*RAND_DRBG_instantiate_fn)(RAND_DRBG *ctx, const unsigned char *ent, @@ -140,82 +83,6 @@ typedef int (*RAND_DRBG_uninstantiate_fn)(RAND_DRBG *ctx); /* - * The DRBG methods - */ - -typedef struct rand_drbg_method_st { - RAND_DRBG_instantiate_fn instantiate; - RAND_DRBG_reseed_fn reseed; - RAND_DRBG_generate_fn generate; - RAND_DRBG_uninstantiate_fn uninstantiate; -} RAND_DRBG_METHOD; - -/* 888 bits from SP800-90Ar1 10.1 table 2 */ -#define HASH_PRNG_MAX_SEEDLEN (888/8) - -typedef struct rand_drbg_hash_st { - EVP_MD *md; - EVP_MD_CTX *ctx; - size_t blocklen; - unsigned char V[HASH_PRNG_MAX_SEEDLEN]; - unsigned char C[HASH_PRNG_MAX_SEEDLEN]; - /* Temporary value storage: should always exceed max digest length */ - unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN]; -} RAND_DRBG_HASH; - -typedef struct rand_drbg_hmac_st { - EVP_MD *md; - HMAC_CTX *ctx; - size_t blocklen; - unsigned char K[EVP_MAX_MD_SIZE]; - unsigned char V[EVP_MAX_MD_SIZE]; -} RAND_DRBG_HMAC; - -/* - * The state of a DRBG AES-CTR. - */ -typedef struct rand_drbg_ctr_st { - EVP_CIPHER_CTX *ctx_ecb; - EVP_CIPHER_CTX *ctx_ctr; - EVP_CIPHER_CTX *ctx_df; - EVP_CIPHER *cipher_ecb; - EVP_CIPHER *cipher_ctr; - size_t keylen; - unsigned char K[32]; - unsigned char V[16]; - /* Temporary block storage used by ctr_df */ - unsigned char bltmp[16]; - size_t bltmp_pos; - unsigned char KX[48]; -} RAND_DRBG_CTR; - - -/* - * The 'random pool' acts as a dumb container for collecting random - * input from various entropy sources. The pool has no knowledge about - * whether its randomness is fed into a legacy RAND_METHOD via RAND_add() - * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the - * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and - * 4) cleanup the random pool again. - * - * The random pool contains no locking mechanism because its scope and - * lifetime is intended to be restricted to a single stack frame. - */ -struct rand_pool_st { - unsigned char *buffer; /* points to the beginning of the random pool */ - size_t len; /* current number of random bytes contained in the pool */ - - int attached; /* true pool was attached to existing buffer */ - int secure; /* 1: allocated on the secure heap, 0: otherwise */ - - size_t min_len; /* minimum number of random bytes requested */ - size_t max_len; /* maximum number of random bytes (allocated buffer size) */ - size_t alloc_len; /* current number of bytes allocated */ - size_t entropy; /* current entropy count in bits */ - size_t entropy_requested; /* requested entropy count in bits */ -}; - -/* * The state of all types of DRBGs, even though we only have CTR mode * right now. */ @@ -226,104 +93,13 @@ struct rand_drbg_st { RAND_DRBG *parent; int secure; /* 1: allocated on the secure heap, 0: otherwise */ int type; /* the nid of the underlying algorithm */ - /* - * Stores the return value of openssl_get_fork_id() as of when we last - * reseeded. The DRBG reseeds automatically whenever drbg->fork_id != - * openssl_get_fork_id(). Used to provide fork-safety and reseed this - * DRBG in the child process. - */ - int fork_id; unsigned short flags; /* various external flags */ - /* - * The random_data is used by RAND_add()/drbg_add() to attach random - * data to the global drbg, such that the rand_drbg_get_entropy() callback - * can pull it during instantiation and reseeding. This is necessary to - * reconcile the different philosophies of the RAND and the RAND_DRBG - * with respect to how randomness is added to the RNG during reseeding - * (see PR #4328). - */ - struct rand_pool_st *seed_pool; - - /* - * Auxiliary pool for additional data. - */ - struct rand_pool_st *adin_pool; - - /* - * The following parameters are setup by the per-type "init" function. - * - * The supported types and their init functions are: - * (1) CTR_DRBG: drbg_ctr_init(). - * (2) HMAC_DRBG: drbg_hmac_init(). - * (3) HASH_DRBG: drbg_hash_init(). - * - * The parameters are closely related to the ones described in - * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one - * crucial difference: In the NIST standard, all counts are given - * in bits, whereas in OpenSSL entropy counts are given in bits - * and buffer lengths are given in bytes. - * - * Since this difference has lead to some confusion in the past, - * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) - * the 'len' suffix has been added to all buffer sizes for - * clarification. - */ - - int strength; - size_t max_request; - size_t min_entropylen, max_entropylen; - size_t min_noncelen, max_noncelen; - size_t max_perslen, max_adinlen; - - /* - * Counts the number of generate requests since the last reseed - * (Starts at 1). This value is the reseed_counter as defined in - * NIST SP 800-90Ar1 - */ - unsigned int reseed_gen_counter; - /* - * Maximum number of generate requests until a reseed is required. - * This value is ignored if it is zero. - */ - unsigned int reseed_interval; - /* Stores the time when the last reseeding occurred */ - time_t reseed_time; - /* - * Specifies the maximum time interval (in seconds) between reseeds. - * This value is ignored if it is zero. - */ - time_t reseed_time_interval; - /* - * Counts the number of reseeds since instantiation. - * This value is ignored if it is zero. - * - * This counter is used only for seed propagation from the <master> DRBG - * to its two children, the <public> and <private> DRBG. This feature is - * very special and its sole purpose is to ensure that any randomness which - * is added by RAND_add() or RAND_seed() will have an immediate effect on - * the output of RAND_bytes() resp. RAND_priv_bytes(). - */ - TSAN_QUALIFIER unsigned int reseed_prop_counter; - unsigned int reseed_next_counter; - - size_t seedlen; - DRBG_STATUS state; - -#ifndef FIPS_MODULE /* Application data, mainly used in the KATs. */ CRYPTO_EX_DATA ex_data; -#endif - - /* Implementation specific data */ - union { - RAND_DRBG_CTR ctr; - RAND_DRBG_HASH hash; - RAND_DRBG_HMAC hmac; - } data; - /* Implementation specific methods */ - RAND_DRBG_METHOD *meth; + /* Implementation */ + EVP_RAND_CTX *rand; /* Callback functions. See comments in rand_lib.c */ RAND_DRBG_get_entropy_fn get_entropy; @@ -341,16 +117,6 @@ extern RAND_METHOD rand_meth; int rand_drbg_restart(RAND_DRBG *drbg, const unsigned char *buffer, size_t len, size_t entropy); size_t rand_drbg_seedlen(RAND_DRBG *drbg); -/* locking api */ -int rand_drbg_lock(RAND_DRBG *drbg); -int rand_drbg_unlock(RAND_DRBG *drbg); -int rand_drbg_enable_locking(RAND_DRBG *drbg); - - -/* initializes the DRBG implementation */ -int drbg_ctr_init(RAND_DRBG *drbg); -int drbg_hash_init(RAND_DRBG *drbg); -int drbg_hmac_init(RAND_DRBG *drbg); /* * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests. |