rand_lcl.h 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #ifndef HEADER_RAND_LCL_H
  10. # define HEADER_RAND_LCL_H
  11. # include <openssl/aes.h>
  12. # include <openssl/evp.h>
  13. # include <openssl/sha.h>
  14. # include <openssl/hmac.h>
  15. # include <openssl/ec.h>
  16. # include <openssl/rand_drbg.h>
  17. # include "internal/tsan_assist.h"
  18. # include "internal/numbers.h"
  19. /* How many times to read the TSC as a randomness source. */
  20. # define TSC_READ_COUNT 4
  21. /* Maximum reseed intervals */
  22. # define MAX_RESEED_INTERVAL (1 << 24)
  23. # define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */
  24. /* Default reseed intervals */
  25. # define MASTER_RESEED_INTERVAL (1 << 8)
  26. # define SLAVE_RESEED_INTERVAL (1 << 16)
  27. # define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
  28. # define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
  29. /*
  30. * The number of bytes that constitutes an atomic lump of entropy with respect
  31. * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat
  32. * arbitrary, the smaller the value, the less entropy is consumed on first
  33. * read but the higher the probability of the test failing by accident.
  34. *
  35. * The value is in bytes.
  36. */
  37. #define CRNGT_BUFSIZ 16
  38. /*
  39. * Maximum input size for the DRBG (entropy, nonce, personalization string)
  40. *
  41. * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes.
  42. *
  43. * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes.
  44. */
  45. # define DRBG_MAX_LENGTH INT32_MAX
  46. /* The default nonce */
  47. # define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"
  48. /*
  49. * Maximum allocation size for RANDOM_POOL buffers
  50. *
  51. * The max_len value for the buffer provided to the rand_drbg_get_entropy()
  52. * callback is currently 2^31 bytes (2 gigabytes), if a derivation function
  53. * is used. Since this is much too large to be allocated, the rand_pool_new()
  54. * function chooses more modest values as default pool length, bounded
  55. * by RAND_POOL_MIN_LENGTH and RAND_POOL_MAX_LENGTH
  56. *
  57. * The choice of the RAND_POOL_FACTOR is large enough such that the
  58. * RAND_POOL can store a random input which has a lousy entropy rate of
  59. * 8/256 (= 0.03125) bits per byte. This input will be sent through the
  60. * derivation function which 'compresses' the low quality input into a
  61. * high quality output.
  62. *
  63. * The factor 1.5 below is the pessimistic estimate for the extra amount
  64. * of entropy required when no get_nonce() callback is defined.
  65. */
  66. # define RAND_POOL_FACTOR 256
  67. # define RAND_POOL_MAX_LENGTH (RAND_POOL_FACTOR * \
  68. 3 * (RAND_DRBG_STRENGTH / 16))
  69. /*
  70. * = (RAND_POOL_FACTOR * \
  71. * 1.5 * (RAND_DRBG_STRENGTH / 8))
  72. */
  73. /* DRBG status values */
  74. typedef enum drbg_status_e {
  75. DRBG_UNINITIALISED,
  76. DRBG_READY,
  77. DRBG_ERROR
  78. } DRBG_STATUS;
  79. /* instantiate */
  80. typedef int (*RAND_DRBG_instantiate_fn)(RAND_DRBG *ctx,
  81. const unsigned char *ent,
  82. size_t entlen,
  83. const unsigned char *nonce,
  84. size_t noncelen,
  85. const unsigned char *pers,
  86. size_t perslen);
  87. /* reseed */
  88. typedef int (*RAND_DRBG_reseed_fn)(RAND_DRBG *ctx,
  89. const unsigned char *ent,
  90. size_t entlen,
  91. const unsigned char *adin,
  92. size_t adinlen);
  93. /* generate output */
  94. typedef int (*RAND_DRBG_generate_fn)(RAND_DRBG *ctx,
  95. unsigned char *out,
  96. size_t outlen,
  97. const unsigned char *adin,
  98. size_t adinlen);
  99. /* uninstantiate */
  100. typedef int (*RAND_DRBG_uninstantiate_fn)(RAND_DRBG *ctx);
  101. /*
  102. * The DRBG methods
  103. */
  104. typedef struct rand_drbg_method_st {
  105. RAND_DRBG_instantiate_fn instantiate;
  106. RAND_DRBG_reseed_fn reseed;
  107. RAND_DRBG_generate_fn generate;
  108. RAND_DRBG_uninstantiate_fn uninstantiate;
  109. } RAND_DRBG_METHOD;
  110. /* 888 bits from SP800-90Ar1 10.1 table 2 */
  111. #define HASH_PRNG_MAX_SEEDLEN (888/8)
  112. typedef struct rand_drbg_hash_st {
  113. const EVP_MD *md;
  114. EVP_MD_CTX *ctx;
  115. size_t blocklen;
  116. unsigned char V[HASH_PRNG_MAX_SEEDLEN];
  117. unsigned char C[HASH_PRNG_MAX_SEEDLEN];
  118. /* Temporary value storage: should always exceed max digest length */
  119. unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
  120. } RAND_DRBG_HASH;
  121. typedef struct rand_drbg_hmac_st {
  122. const EVP_MD *md;
  123. HMAC_CTX *ctx;
  124. size_t blocklen;
  125. unsigned char K[EVP_MAX_MD_SIZE];
  126. unsigned char V[EVP_MAX_MD_SIZE];
  127. } RAND_DRBG_HMAC;
  128. /*
  129. * The state of a DRBG AES-CTR.
  130. */
  131. typedef struct rand_drbg_ctr_st {
  132. EVP_CIPHER_CTX *ctx;
  133. EVP_CIPHER_CTX *ctx_df;
  134. const EVP_CIPHER *cipher;
  135. size_t keylen;
  136. unsigned char K[32];
  137. unsigned char V[16];
  138. /* Temporary block storage used by ctr_df */
  139. unsigned char bltmp[16];
  140. size_t bltmp_pos;
  141. unsigned char KX[48];
  142. } RAND_DRBG_CTR;
  143. /*
  144. * The 'random pool' acts as a dumb container for collecting random
  145. * input from various entropy sources. The pool has no knowledge about
  146. * whether its randomness is fed into a legacy RAND_METHOD via RAND_add()
  147. * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the
  148. * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and
  149. * 4) cleanup the random pool again.
  150. *
  151. * The random pool contains no locking mechanism because its scope and
  152. * lifetime is intended to be restricted to a single stack frame.
  153. */
  154. struct rand_pool_st {
  155. unsigned char *buffer; /* points to the beginning of the random pool */
  156. size_t len; /* current number of random bytes contained in the pool */
  157. int attached; /* true pool was attached to existing buffer */
  158. size_t min_len; /* minimum number of random bytes requested */
  159. size_t max_len; /* maximum number of random bytes (allocated buffer size) */
  160. size_t entropy; /* current entropy count in bits */
  161. size_t entropy_requested; /* requested entropy count in bits */
  162. };
  163. /*
  164. * The state of all types of DRBGs, even though we only have CTR mode
  165. * right now.
  166. */
  167. struct rand_drbg_st {
  168. CRYPTO_RWLOCK *lock;
  169. /* The library context this DRBG is associated with, if any */
  170. OPENSSL_CTX *libctx;
  171. RAND_DRBG *parent;
  172. int secure; /* 1: allocated on the secure heap, 0: otherwise */
  173. int type; /* the nid of the underlying algorithm */
  174. /*
  175. * Stores the value of the rand_fork_count global as of when we last
  176. * reseeded. The DRBG reseeds automatically whenever drbg->fork_count !=
  177. * rand_fork_count. Used to provide fork-safety and reseed this DRBG in
  178. * the child process.
  179. */
  180. int fork_count;
  181. unsigned short flags; /* various external flags */
  182. /*
  183. * The random_data is used by RAND_add()/drbg_add() to attach random
  184. * data to the global drbg, such that the rand_drbg_get_entropy() callback
  185. * can pull it during instantiation and reseeding. This is necessary to
  186. * reconcile the different philosophies of the RAND and the RAND_DRBG
  187. * with respect to how randomness is added to the RNG during reseeding
  188. * (see PR #4328).
  189. */
  190. struct rand_pool_st *seed_pool;
  191. /*
  192. * Auxiliary pool for additional data.
  193. */
  194. struct rand_pool_st *adin_pool;
  195. /*
  196. * The following parameters are setup by the per-type "init" function.
  197. *
  198. * The supported types and their init functions are:
  199. * (1) CTR_DRBG: drbg_ctr_init().
  200. * (2) HMAC_DRBG: drbg_hmac_init().
  201. * (3) HASH_DRBG: drbg_hash_init().
  202. *
  203. * The parameters are closely related to the ones described in
  204. * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one
  205. * crucial difference: In the NIST standard, all counts are given
  206. * in bits, whereas in OpenSSL entropy counts are given in bits
  207. * and buffer lengths are given in bytes.
  208. *
  209. * Since this difference has lead to some confusion in the past,
  210. * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055])
  211. * the 'len' suffix has been added to all buffer sizes for
  212. * clarification.
  213. */
  214. int strength;
  215. size_t max_request;
  216. size_t min_entropylen, max_entropylen;
  217. size_t min_noncelen, max_noncelen;
  218. size_t max_perslen, max_adinlen;
  219. /*
  220. * Counts the number of generate requests since the last reseed
  221. * (Starts at 1). This value is the reseed_counter as defined in
  222. * NIST SP 800-90Ar1
  223. */
  224. unsigned int reseed_gen_counter;
  225. /*
  226. * Maximum number of generate requests until a reseed is required.
  227. * This value is ignored if it is zero.
  228. */
  229. unsigned int reseed_interval;
  230. /* Stores the time when the last reseeding occurred */
  231. time_t reseed_time;
  232. /*
  233. * Specifies the maximum time interval (in seconds) between reseeds.
  234. * This value is ignored if it is zero.
  235. */
  236. time_t reseed_time_interval;
  237. /*
  238. * Counts the number of reseeds since instantiation.
  239. * This value is ignored if it is zero.
  240. *
  241. * This counter is used only for seed propagation from the <master> DRBG
  242. * to its two children, the <public> and <private> DRBG. This feature is
  243. * very special and its sole purpose is to ensure that any randomness which
  244. * is added by RAND_add() or RAND_seed() will have an immediate effect on
  245. * the output of RAND_bytes() resp. RAND_priv_bytes().
  246. */
  247. TSAN_QUALIFIER unsigned int reseed_prop_counter;
  248. unsigned int reseed_next_counter;
  249. size_t seedlen;
  250. DRBG_STATUS state;
  251. /* Application data, mainly used in the KATs. */
  252. CRYPTO_EX_DATA ex_data;
  253. /* Implementation specific data */
  254. union {
  255. RAND_DRBG_CTR ctr;
  256. RAND_DRBG_HASH hash;
  257. RAND_DRBG_HMAC hmac;
  258. } data;
  259. /* Implementation specific methods */
  260. RAND_DRBG_METHOD *meth;
  261. /* Callback functions. See comments in rand_lib.c */
  262. RAND_DRBG_get_entropy_fn get_entropy;
  263. RAND_DRBG_cleanup_entropy_fn cleanup_entropy;
  264. RAND_DRBG_get_nonce_fn get_nonce;
  265. RAND_DRBG_cleanup_nonce_fn cleanup_nonce;
  266. };
  267. /* The global RAND method, and the global buffer and DRBG instance. */
  268. extern RAND_METHOD rand_meth;
  269. /*
  270. * A "generation count" of forks. Incremented in the child process after a
  271. * fork. Since rand_fork_count is increment-only, and only ever written to in
  272. * the child process of the fork, which is guaranteed to be single-threaded, no
  273. * locking is needed for normal (read) accesses; the rest of pthread fork
  274. * processing is assumed to introduce the necessary memory barriers. Sibling
  275. * children of a given parent will produce duplicate values, but this is not
  276. * problematic because the reseeding process pulls input from the system CSPRNG
  277. * and/or other global sources, so the siblings will end up generating
  278. * different output streams.
  279. */
  280. extern int rand_fork_count;
  281. /* DRBG helpers */
  282. int rand_drbg_restart(RAND_DRBG *drbg,
  283. const unsigned char *buffer, size_t len, size_t entropy);
  284. size_t rand_drbg_seedlen(RAND_DRBG *drbg);
  285. /* locking api */
  286. int rand_drbg_lock(RAND_DRBG *drbg);
  287. int rand_drbg_unlock(RAND_DRBG *drbg);
  288. int rand_drbg_enable_locking(RAND_DRBG *drbg);
  289. /* initializes the DRBG implementation */
  290. int drbg_ctr_init(RAND_DRBG *drbg);
  291. int drbg_hash_init(RAND_DRBG *drbg);
  292. int drbg_hmac_init(RAND_DRBG *drbg);
  293. /*
  294. * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
  295. * These need to be exposed for the unit tests.
  296. */
  297. int rand_crngt_get_entropy_cb(OPENSSL_CTX *ctx, unsigned char *buf,
  298. unsigned char *md, unsigned int *md_size);
  299. extern int (*crngt_get_entropy)(OPENSSL_CTX *ctx, unsigned char *buf,
  300. unsigned char *md,
  301. unsigned int *md_size);
  302. #endif