1 /* Copyright (c) 2015, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #ifndef OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
16 #define OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
17
18 #include <openssl/aes.h>
19 #include <openssl/cpu.h>
20
21 #include "../../internal.h"
22 #include "../modes/internal.h"
23
24 #if defined(__cplusplus)
25 extern "C" {
26 #endif
27
28
29 #if !defined(OPENSSL_WINDOWS) && !defined(OPENSSL_FUCHSIA) && \
30 !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) && !defined(OPENSSL_TRUSTY)
31 #define OPENSSL_URANDOM
32 #endif
33
34 // RAND_bytes_with_additional_data samples from the RNG after mixing 32 bytes
35 // from |user_additional_data| in.
36 void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
37 const uint8_t user_additional_data[32]);
38
39 #if defined(BORINGSSL_FIPS)
40
41 // We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to whiten.
42 #define BORINGSSL_FIPS_OVERREAD 10
43
44 // CRYPTO_get_seed_entropy writes |out_entropy_len| bytes of entropy, suitable
45 // for seeding a DRBG, to |out_entropy|. It sets |*out_used_cpu| to one if the
46 // entropy came directly from the CPU and zero if it came from the OS. It
47 // actively obtains entropy from the CPU/OS and so should not be called from
48 // within the FIPS module if |BORINGSSL_FIPS_PASSIVE_ENTROPY| is defined.
49 void CRYPTO_get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
50 int *out_used_cpu);
51
52 #if defined(BORINGSSL_FIPS_PASSIVE_ENTROPY)
53
54 // RAND_load_entropy supplies |entropy_len| bytes of entropy to the module. The
55 // |from_cpu| parameter is true iff the entropy was obtained directly from the
56 // CPU.
57 void RAND_load_entropy(const uint8_t *entropy, size_t entropy_len,
58 int from_cpu);
59
60 // RAND_need_entropy is implemented outside of the FIPS module and is called
61 // when the module has stopped because it has run out of entropy.
62 void RAND_need_entropy(size_t bytes_needed);
63
64 #endif // BORINGSSL_FIPS_PASSIVE_ENTROPY
65 #endif // BORINGSSL_FIPS
66
67 // CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating
68 // system.
69 void CRYPTO_sysrand(uint8_t *buf, size_t len);
70
71 #if defined(OPENSSL_URANDOM)
72 // CRYPTO_init_sysrand initializes long-lived resources needed to draw entropy
73 // from the operating system.
74 void CRYPTO_init_sysrand(void);
75
76 // CRYPTO_sysrand_for_seed fills |len| bytes at |buf| with entropy from the
77 // operating system. It may draw from the |GRND_RANDOM| pool on Android,
78 // depending on the vendor's configuration.
79 void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len);
80
81 // CRYPTO_sysrand_if_available fills |len| bytes at |buf| with entropy from the
82 // operating system, or early /dev/urandom data, and returns 1, _if_ the entropy
83 // pool is initialized or if getrandom() is not available and not in FIPS mode.
84 // Otherwise it will not block and will instead fill |buf| with all zeros and
85 // return 0.
86 int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len);
87 #else
CRYPTO_init_sysrand(void)88 OPENSSL_INLINE void CRYPTO_init_sysrand(void) {}
89
CRYPTO_sysrand_for_seed(uint8_t * buf,size_t len)90 OPENSSL_INLINE void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len) {
91 CRYPTO_sysrand(buf, len);
92 }
93
CRYPTO_sysrand_if_available(uint8_t * buf,size_t len)94 OPENSSL_INLINE int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {
95 CRYPTO_sysrand(buf, len);
96 return 1;
97 }
98 #endif
99
100 // rand_fork_unsafe_buffering_enabled returns whether fork-unsafe buffering has
101 // been enabled via |RAND_enable_fork_unsafe_buffering|.
102 int rand_fork_unsafe_buffering_enabled(void);
103
104 // CTR_DRBG_STATE contains the state of a CTR_DRBG based on AES-256. See SP
105 // 800-90Ar1.
106 typedef struct {
107 AES_KEY ks;
108 block128_f block;
109 ctr128_f ctr;
110 union {
111 uint8_t bytes[16];
112 uint32_t words[4];
113 } counter;
114 uint64_t reseed_counter;
115 } CTR_DRBG_STATE;
116
117 // See SP 800-90Ar1, table 3.
118 #define CTR_DRBG_ENTROPY_LEN 48
119 #define CTR_DRBG_MAX_GENERATE_LENGTH 65536
120
121 // CTR_DRBG_init initialises |*drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of
122 // entropy in |entropy| and, optionally, a personalization string up to
123 // |CTR_DRBG_ENTROPY_LEN| bytes in length. It returns one on success and zero
124 // on error.
125 OPENSSL_EXPORT int CTR_DRBG_init(CTR_DRBG_STATE *drbg,
126 const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],
127 const uint8_t *personalization,
128 size_t personalization_len);
129
130 // CTR_DRBG_reseed reseeds |drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of entropy
131 // in |entropy| and, optionally, up to |CTR_DRBG_ENTROPY_LEN| bytes of
132 // additional data. It returns one on success or zero on error.
133 OPENSSL_EXPORT int CTR_DRBG_reseed(CTR_DRBG_STATE *drbg,
134 const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],
135 const uint8_t *additional_data,
136 size_t additional_data_len);
137
138 // CTR_DRBG_generate processes to up |CTR_DRBG_ENTROPY_LEN| bytes of additional
139 // data (if any) and then writes |out_len| random bytes to |out|, where
140 // |out_len| <= |CTR_DRBG_MAX_GENERATE_LENGTH|. It returns one on success or
141 // zero on error.
142 OPENSSL_EXPORT int CTR_DRBG_generate(CTR_DRBG_STATE *drbg, uint8_t *out,
143 size_t out_len,
144 const uint8_t *additional_data,
145 size_t additional_data_len);
146
147 // CTR_DRBG_clear zeroises the state of |drbg|.
148 OPENSSL_EXPORT void CTR_DRBG_clear(CTR_DRBG_STATE *drbg);
149
150
151 #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
152
have_rdrand(void)153 OPENSSL_INLINE int have_rdrand(void) {
154 return (OPENSSL_ia32cap_get()[1] & (1u << 30)) != 0;
155 }
156
157 // have_fast_rdrand returns true if RDRAND is supported and it's reasonably
158 // fast. Concretely the latter is defined by whether the chip is Intel (fast) or
159 // not (assumed slow).
have_fast_rdrand(void)160 OPENSSL_INLINE int have_fast_rdrand(void) {
161 const uint32_t *const ia32cap = OPENSSL_ia32cap_get();
162 return (ia32cap[1] & (1u << 30)) && (ia32cap[0] & (1u << 30));
163 }
164
165 // CRYPTO_rdrand writes eight bytes of random data from the hardware RNG to
166 // |out|. It returns one on success or zero on hardware failure.
167 int CRYPTO_rdrand(uint8_t out[8]);
168
169 // CRYPTO_rdrand_multiple8_buf fills |len| bytes at |buf| with random data from
170 // the hardware RNG. The |len| argument must be a multiple of eight. It returns
171 // one on success and zero on hardware failure.
172 int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len);
173
174 #else // OPENSSL_X86_64 && !OPENSSL_NO_ASM
175
have_rdrand(void)176 OPENSSL_INLINE int have_rdrand(void) {
177 return 0;
178 }
179
have_fast_rdrand(void)180 OPENSSL_INLINE int have_fast_rdrand(void) {
181 return 0;
182 }
183
184 #endif // OPENSSL_X86_64 && !OPENSSL_NO_ASM
185
186
187 #if defined(__cplusplus)
188 } // extern C
189 #endif
190
191 #endif // OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
192