# include <openssl/sha.h>
# include <openssl/hmac.h>
# include <openssl/ec.h>
-# include "include/internal/rand.h"
+# include "internal/rand.h"
+
+/*
+ * Amount of randomness (in bytes) we want for initial seeding.
+ * This is based on the fact that we use AES-128 as the CRBG, and
+ * that we use the derivation function. If either of those changes,
+ * (see rand_init() in rand_lib.c), change this.
+ */
+# define RANDOMNESS_NEEDED 16
+
+/* How many times to read the TSC as a randomness source. */
+# define TSC_READ_COUNT 4
+
+/* Maximum amount of randomness to hold in RAND_BYTES_BUFFER. */
+# define MAX_RANDOMNESS_HELD (4 * RANDOMNESS_NEEDED)
+
+/* Maximum count allowed in reseeding */
+# define MAX_RESEED (1 << 24)
+
+/* How often we call RAND_poll() in drbg_entropy_from_system */
+# define RAND_POLL_RETRIES 8
+
+/* Max size of entropy, addin, etc. Larger than any reasonable value */
+# define DRBG_MAX_LENGTH 0x7ffffff0
-/* we require 256 bits of randomness */
-# define RANDOMNESS_NEEDED (256 / 8)
/* DRBG status values */
-#define DRBG_STATUS_UNINITIALISED 0
-#define DRBG_STATUS_READY 1
-#define DRBG_STATUS_RESEED 2
-#define DRBG_STATUS_ERROR 3
+typedef enum drbg_status_e {
+ DRBG_UNINITIALISED,
+ DRBG_READY,
+ DRBG_RESEED,
+ DRBG_ERROR
+} DRBG_STATUS;
-/* A default maximum length: larger than any reasonable value used in pratice */
-#define DRBG_MAX_LENGTH 0x7ffffff0
-typedef struct drbg_ctr_ctx_st {
+/*
+ * A buffer of random bytes to be fed as "entropy" into the DRBG. RAND_add()
+ * adds data to the buffer, and the drbg_entropy_from_system() pulls data from
+ * the buffer. We have a separate data structure because of the way the
+ * API is defined; otherwise we'd run into deadlocks (RAND_bytes ->
+ * RAND_DRBG_generate* -> drbg_entropy_from_system -> RAND_poll -> RAND_add ->
+ * drbg_add*; the functions with an asterisk lock).
+ */
+typedef struct rand_bytes_buffer_st {
+ CRYPTO_RWLOCK *lock;
+ unsigned char *buff;
+ size_t size;
+ size_t curr;
+ int secure;
+} RAND_BYTES_BUFFER;
+
+/*
+ * The state of a DRBG AES-CTR.
+ */
+typedef struct rand_drbg_ctr_st {
AES_KEY ks;
size_t keylen;
unsigned char K[32];
unsigned char bltmp[16];
size_t bltmp_pos;
unsigned char KX[48];
-} DRBG_CTR_CTX;
+} RAND_DRBG_CTR;
-struct drbg_ctx_st {
- CRYPTO_RWLOCK *lock;
- DRBG_CTX *parent;
- int nid; /* the NID of the underlying algorithm */
- unsigned int flags; /* various external flags */
- /* The following parameters are setup by mechanism drbg_init() call */
+/*
+ * The state of all types of DRBGs, even though we only have CTR mode
+ * right now.
+ */
+struct rand_drbg_st {
+ CRYPTO_RWLOCK *lock;
+ RAND_DRBG *parent;
+ int nid; /* the underlying algorithm */
+ int fork_count;
+ unsigned short flags; /* various external flags */
+ char filled;
+ char secure;
+ /*
+ * This is a fixed-size buffer, but we malloc to make it a little
+ * harder to find; a classic security/performance trade-off.
+ */
+ int size;
+ unsigned char *randomness;
+
+ /* These parameters are setup by the per-type "init" function. */
int strength;
- size_t blocklength;
size_t max_request;
size_t min_entropy, max_entropy;
size_t min_nonce, max_nonce;
unsigned int reseed_counter;
unsigned int reseed_interval;
size_t seedlen;
- int status;
+ DRBG_STATUS state;
- /* Application data: typically (only?) used by test get_entropy */
+ /* Application data, mainly used in the KATs. */
CRYPTO_EX_DATA ex_data;
- /* Implementation specific structures */
- DRBG_CTR_CTX ctr;
-
- /* entropy gathering function */
- size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
- int entropy, size_t min_len, size_t max_len);
- /* Indicates we have finished with entropy buffer */
- void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
+ /* Implementation specific structures; was a union, but inline for now */
+ RAND_DRBG_CTR ctr;
- /* nonce gathering function */
- size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
- int entropy, size_t min_len, size_t max_len);
- /* Indicates we have finished with nonce buffer */
- void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
+ /* Callback functions. See comments in rand_lib.c */
+ RAND_DRBG_get_entropy_fn get_entropy;
+ RAND_DRBG_cleanup_entropy_fn cleanup_entropy;
+ RAND_DRBG_get_nonce_fn get_nonce;
+ RAND_DRBG_cleanup_nonce_fn cleanup_nonce;
};
-
-extern RAND_METHOD openssl_rand_meth;
-void rand_drbg_cleanup(void);
-
-int ctr_init(DRBG_CTX *dctx);
-int drbg_hash_init(DRBG_CTX *dctx);
-int drbg_hmac_init(DRBG_CTX *dctx);
-int ctr_uninstantiate(DRBG_CTX *dctx);
-int ctr_instantiate(DRBG_CTX *dctx,
+/* The global RAND method, and the global buffer and DRBG instance. */
+extern RAND_METHOD rand_meth;
+extern RAND_BYTES_BUFFER rand_bytes;
+extern RAND_DRBG rand_drbg;
+extern RAND_DRBG priv_drbg;
+
+/* How often we've forked (only incremented in child). */
+extern int rand_fork_count;
+
+/* Hardware-based seeding functions. */
+void rand_read_tsc(RAND_poll_fn cb, void *arg);
+int rand_read_cpu(RAND_poll_fn cb, void *arg);
+
+/* DRBG entropy callbacks. */
+void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out);
+size_t drbg_entropy_from_parent(RAND_DRBG *drbg,
+ unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len);
+size_t drbg_entropy_from_system(RAND_DRBG *drbg,
+ unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len);
+
+/* DRBG functions implementing AES-CTR */
+int ctr_init(RAND_DRBG *drbg);
+int ctr_uninstantiate(RAND_DRBG *drbg);
+int ctr_instantiate(RAND_DRBG *drbg,
const unsigned char *ent, size_t entlen,
const unsigned char *nonce, size_t noncelen,
const unsigned char *pers, size_t perslen);
-int ctr_reseed(DRBG_CTX *dctx,
+int ctr_reseed(RAND_DRBG *drbg,
const unsigned char *ent, size_t entlen,
const unsigned char *adin, size_t adinlen);
-int ctr_generate(DRBG_CTX *dctx,
+int ctr_generate(RAND_DRBG *drbg,
unsigned char *out, size_t outlen,
const unsigned char *adin, size_t adinlen);