Implement automatic reseeding of DRBG after a specified time interval

[openssl.git] / include / internal / rand.h

diff --git a/include/internal/rand.h b/include/internal/rand.h
index 4e30e38aa123c343176745095f62948b6fee6875..2f9a8015bee79b689fd60e55f25f010c5cd4f566 100644 (file)
--- a/include/internal/rand.h
+++ b/include/internal/rand.h
@@ -13,6 +13,17 @@
 /* In CTR mode, use derivation function ctr_df */
 #define RAND_DRBG_FLAG_CTR_USE_DF            0x2
 
+/*
+ * Default security strength (in the sense of [NIST SP 800-90Ar1])
+ * of the default OpenSSL DRBG, and the corresponding NID.
+ *
+ * Currently supported values: 128, 192, 256
+ *
+ * TODO(DRBG): would be nice to have the strength configurable
+ */
+# define RAND_DRBG_STRENGTH             128
+# define RAND_DRBG_NID                  NID_aes_128_ctr
+
 /*
  * Object lifetime functions.
  */
@@ -31,8 +42,12 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
 int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
                        int prediction_resistance,
                        const unsigned char *adin, size_t adinlen);
-int RAND_DRBG_set_reseed_interval(RAND_DRBG *drbg, int interval);
-RAND_DRBG *RAND_DRBG_get0_global(void);
+int RAND_DRBG_set_reseed_interval(RAND_DRBG *drbg, unsigned int interval);
+int RAND_DRBG_set_reseed_time_interval(RAND_DRBG *drbg, time_t interval);
+
+RAND_DRBG *RAND_DRBG_get0_master(void);
+RAND_DRBG *RAND_DRBG_get0_public(void);
+RAND_DRBG *RAND_DRBG_get0_private(void);
 
 /*
  * EXDATA
@@ -50,11 +65,12 @@ typedef size_t (*RAND_DRBG_get_entropy_fn)(RAND_DRBG *ctx,
                                            int entropy, size_t min_len,
                                            size_t max_len);
 typedef void (*RAND_DRBG_cleanup_entropy_fn)(RAND_DRBG *ctx,
-                                             unsigned char *out);
+                                             unsigned char *out, size_t outlen);
 typedef size_t (*RAND_DRBG_get_nonce_fn)(RAND_DRBG *ctx, unsigned char **pout,
                                          int entropy, size_t min_len,
                                          size_t max_len);
-typedef void (*RAND_DRBG_cleanup_nonce_fn)(RAND_DRBG *ctx, unsigned char *out);
+typedef void (*RAND_DRBG_cleanup_nonce_fn)(RAND_DRBG *ctx,
+                                           unsigned char *out, size_t outlen);
 
 int RAND_DRBG_set_callbacks(RAND_DRBG *dctx,
                             RAND_DRBG_get_entropy_fn get_entropy,
@@ -62,4 +78,38 @@ int RAND_DRBG_set_callbacks(RAND_DRBG *dctx,
                             RAND_DRBG_get_nonce_fn get_nonce,
                             RAND_DRBG_cleanup_nonce_fn cleanup_nonce);
 
+/*
+ * RAND_POOL functions
+ */
+RAND_POOL *RAND_POOL_new(int entropy_requested, size_t min_len, size_t max_len);
+void RAND_POOL_free(RAND_POOL *pool);
+
+const unsigned char *RAND_POOL_buffer(RAND_POOL *pool);
+unsigned char *RAND_POOL_detach(RAND_POOL *pool);
+
+size_t RAND_POOL_entropy(RAND_POOL *pool);
+size_t RAND_POOL_length(RAND_POOL *pool);
+
+size_t RAND_POOL_entropy_available(RAND_POOL *pool);
+size_t RAND_POOL_entropy_needed(RAND_POOL *pool);
+size_t RAND_POOL_bytes_needed(RAND_POOL *pool, unsigned int entropy_per_byte);
+size_t RAND_POOL_bytes_remaining(RAND_POOL *pool);
+
+size_t RAND_POOL_add(RAND_POOL *pool,
+                     const unsigned char *buffer, size_t len, size_t entropy);
+unsigned char *RAND_POOL_add_begin(RAND_POOL *pool, size_t len);
+size_t RAND_POOL_add_end(RAND_POOL *pool, size_t len, size_t entropy);
+
+
+/*
+ * Add random bytes to the pool to acquire requested amount of entropy
+ *
+ * This function is platform specific and tries to acquire the requested
+ * amount of entropy by polling platform specific entropy sources.
+ *
+ * If the function succeeds in acquiring at least |entropy_requested| bits
+ * of entropy, the total entropy count is returned. If it fails, it returns
+ * an entropy count of 0.
+ */
+size_t RAND_POOL_acquire_entropy(RAND_POOL *pool);
 #endif