1 /* Microsoft Reference Implementation for TPM 2.0 2 * 3 * The copyright in this software is being made available under the BSD License, 4 * included below. This software may be subject to other third party and 5 * contributor rights, including patent rights, and no such rights are granted 6 * under this license. 7 * 8 * Copyright (c) Microsoft Corporation 9 * 10 * All rights reserved. 11 * 12 * BSD License 13 * 14 * Redistribution and use in source and binary forms, with or without modification, 15 * are permitted provided that the following conditions are met: 16 * 17 * Redistributions of source code must retain the above copyright notice, this list 18 * of conditions and the following disclaimer. 19 * 20 * Redistributions in binary form must reproduce the above copyright notice, this 21 * list of conditions and the following disclaimer in the documentation and/or 22 * other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ""AS IS"" 25 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 27 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 28 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 29 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 30 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 31 * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 32 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 //** Introduction 36 // This file contains constant definition shared by CryptUtil and the parts 37 // of the Crypto Engine. 38 // 39 40 #ifndef _CRYPT_RAND_H 41 #define _CRYPT_RAND_H 42 43 44 //** DRBG Structures and Defines 45 46 // Values and structures for the random number generator. These values are defined 47 // in this header file so that the size of the RNG state can be known to TPM.lib. 48 // This allows the allocation of some space in NV memory for the state to 49 // be stored on an orderly shutdown. 50 51 // The DRBG based on a symmetric block cipher is defined by three values, 52 // 1) the key size 53 // 2) the block size (the IV size) 54 // 3) the symmetric algorithm 55 56 #define DRBG_KEY_SIZE_BITS AES_MAX_KEY_SIZE_BITS 57 #define DRBG_IV_SIZE_BITS (AES_MAX_BLOCK_SIZE * 8) 58 #define DRBG_ALGORITHM TPM_ALG_AES 59 60 61 typedef tpmKeyScheduleAES DRBG_KEY_SCHEDULE; 62 #define DRBG_ENCRYPT_SETUP(key, keySizeInBits, schedule) \ 63 TpmCryptSetEncryptKeyAES(key, keySizeInBits, schedule) 64 #define DRBG_ENCRYPT(keySchedule, in, out) \ 65 TpmCryptEncryptAES(SWIZZLE(keySchedule, in, out)) 66 67 #if ((DRBG_KEY_SIZE_BITS % RADIX_BITS) != 0) \ 68 || ((DRBG_IV_SIZE_BITS % RADIX_BITS) != 0) 69 #error "Key size and IV for DRBG must be even multiples of the radix" 70 #endif 71 #if (DRBG_KEY_SIZE_BITS % DRBG_IV_SIZE_BITS) != 0 72 #error "Key size for DRBG must be even multiple of the cypher block size" 73 #endif 74 75 // Derived values 76 #define DRBG_MAX_REQUESTS_PER_RESEED (1 << 48) 77 #define DRBG_MAX_REQEST_SIZE (1 << 32) 78 79 #define pDRBG_KEY(seed) ((DRBG_KEY *)&(((BYTE *)(seed))[0])) 80 #define pDRBG_IV(seed) ((DRBG_IV *)&(((BYTE *)(seed))[DRBG_KEY_SIZE_BYTES])) 81 82 #define DRBG_KEY_SIZE_WORDS (BITS_TO_CRYPT_WORDS(DRBG_KEY_SIZE_BITS)) 83 #define DRBG_KEY_SIZE_BYTES (DRBG_KEY_SIZE_WORDS * RADIX_BYTES) 84 85 #define DRBG_IV_SIZE_WORDS (BITS_TO_CRYPT_WORDS(DRBG_IV_SIZE_BITS)) 86 #define DRBG_IV_SIZE_BYTES (DRBG_IV_SIZE_WORDS * RADIX_BYTES) 87 88 #define DRBG_SEED_SIZE_WORDS (DRBG_KEY_SIZE_WORDS + DRBG_IV_SIZE_WORDS) 89 #define DRBG_SEED_SIZE_BYTES (DRBG_KEY_SIZE_BYTES + DRBG_IV_SIZE_BYTES) 90 91 92 typedef union 93 { 94 BYTE bytes[DRBG_KEY_SIZE_BYTES]; 95 crypt_uword_t words[DRBG_KEY_SIZE_WORDS]; 96 } DRBG_KEY; 97 98 typedef union 99 { 100 BYTE bytes[DRBG_IV_SIZE_BYTES]; 101 crypt_uword_t words[DRBG_IV_SIZE_WORDS]; 102 } DRBG_IV; 103 104 typedef union 105 { 106 BYTE bytes[DRBG_SEED_SIZE_BYTES]; 107 crypt_uword_t words[DRBG_SEED_SIZE_WORDS]; 108 } DRBG_SEED; 109 110 #define CTR_DRBG_MAX_REQUESTS_PER_RESEED ((UINT64)1 << 20) 111 #define CTR_DRBG_MAX_BYTES_PER_REQUEST (1 << 16) 112 113 # define CTR_DRBG_MIN_ENTROPY_INPUT_LENGTH DRBG_SEED_SIZE_BYTES 114 # define CTR_DRBG_MAX_ENTROPY_INPUT_LENGTH DRBG_SEED_SIZE_BYTES 115 # define CTR_DRBG_MAX_ADDITIONAL_INPUT_LENGTH DRBG_SEED_SIZE_BYTES 116 117 #define TESTING (1 << 0) 118 #define ENTROPY (1 << 1) 119 #define TESTED (1 << 2) 120 121 #define IsTestStateSet(BIT) ((g_cryptoSelfTestState.rng & BIT) != 0) 122 #define SetTestStateBit(BIT) (g_cryptoSelfTestState.rng |= BIT) 123 #define ClearTestStateBit(BIT) (g_cryptoSelfTestState.rng &= ~BIT) 124 125 #define IsSelfTest() IsTestStateSet(TESTING) 126 #define SetSelfTest() SetTestStateBit(TESTING) 127 #define ClearSelfTest() ClearTestStateBit(TESTING) 128 129 #define IsEntropyBad() IsTestStateSet(ENTROPY) 130 #define SetEntropyBad() SetTestStateBit(ENTROPY) 131 #define ClearEntropyBad() ClearTestStateBit(ENTROPY) 132 133 #define IsDrbgTested() IsTestStateSet(TESTED) 134 #define SetDrbgTested() SetTestStateBit(TESTED) 135 #define ClearDrbgTested() ClearTestStateBit(TESTED) 136 137 typedef struct 138 { 139 UINT64 reseedCounter; 140 UINT32 magic; 141 DRBG_SEED seed; // contains the key and IV for the counter mode DRBG 142 UINT32 lastValue[4]; // used when the TPM does continuous self-test 143 // for FIPS compliance of DRBG 144 } DRBG_STATE, *pDRBG_STATE; 145 #define DRBG_MAGIC ((UINT32) 0x47425244) // "DRBG" backwards so that it displays 146 147 typedef struct KDF_STATE { 148 UINT64 counter; 149 UINT32 magic; 150 UINT32 limit; 151 TPM2B *seed; 152 const TPM2B *label; 153 TPM2B *context; 154 TPM_ALG_ID hash; 155 TPM_ALG_ID kdf; 156 UINT16 digestSize; 157 TPM2B_DIGEST residual; 158 } KDF_STATE, *pKDR_STATE; 159 #define KDF_MAGIC ((UINT32) 0x4048444a) // "KDF " backwards 160 161 // Make sure that any other structures added to this union start with a 64-bit 162 // counter and a 32-bit magic number 163 typedef union 164 { 165 DRBG_STATE drbg; 166 KDF_STATE kdf; 167 } RAND_STATE; 168 169 // This is the state used when the library uses a random number generator. 170 // A special function is installed for the library to call. That function 171 // picks up the state from this location and uses it for the generation 172 // of the random number. 173 extern RAND_STATE *s_random; 174 175 // When instrumenting RSA key sieve 176 #if RSA_INSTRUMENT 177 #define PRIME_INDEX(x) ((x) == 512 ? 0 : (x) == 1024 ? 1 : 2) 178 # define INSTRUMENT_SET(a, b) ((a) = (b)) 179 # define INSTRUMENT_ADD(a, b) (a) = (a) + (b) 180 # define INSTRUMENT_INC(a) (a) = (a) + 1 181 182 extern UINT32 PrimeIndex; 183 extern UINT32 failedAtIteration[10]; 184 extern UINT32 PrimeCounts[3]; 185 extern UINT32 MillerRabinTrials[3]; 186 extern UINT32 totalFieldsSieved[3]; 187 extern UINT32 bitsInFieldAfterSieve[3]; 188 extern UINT32 emptyFieldsSieved[3]; 189 extern UINT32 noPrimeFields[3]; 190 extern UINT32 primesChecked[3]; 191 extern UINT16 lastSievePrime; 192 #else 193 # define INSTRUMENT_SET(a, b) 194 # define INSTRUMENT_ADD(a, b) 195 # define INSTRUMENT_INC(a) 196 #endif 197 198 #endif // _CRYPT_RAND_H 199