1 /* Copyright (c) 2015, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #ifndef OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
16 #define OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
17
18 #include <openssl/aes.h>
19 #include <openssl/ctrdrbg.h>
20
21 #include "../../internal.h"
22 #include "../modes/internal.h"
23
24 #if defined(__cplusplus)
25 extern "C" {
26 #endif
27
28
29 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
30 #define OPENSSL_RAND_DETERMINISTIC
31 #elif defined(OPENSSL_TRUSTY)
32 #define OPENSSL_RAND_TRUSTY
33 #elif defined(OPENSSL_WINDOWS)
34 #define OPENSSL_RAND_WINDOWS
35 #elif defined(OPENSSL_LINUX)
36 #define OPENSSL_RAND_URANDOM
37 #elif defined(OPENSSL_APPLE) && !defined(OPENSSL_MACOS)
38 // Unlike macOS, iOS and similar hide away getentropy().
39 #define OPENSSL_RAND_IOS
40 #else
41 // By default if you are integrating BoringSSL we expect you to
42 // provide getentropy from the <unistd.h> header file.
43 #define OPENSSL_RAND_GETENTROPY
44 #endif
45
46 // RAND_bytes_with_additional_data samples from the RNG after mixing 32 bytes
47 // from |user_additional_data| in.
48 void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
49 const uint8_t user_additional_data[32]);
50
51 #if defined(BORINGSSL_FIPS)
52
53 // We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to whiten.
54 #define BORINGSSL_FIPS_OVERREAD 10
55
56 // CRYPTO_get_seed_entropy writes |out_entropy_len| bytes of entropy, suitable
57 // for seeding a DRBG, to |out_entropy|. It sets |*out_used_cpu| to one if the
58 // entropy came directly from the CPU and zero if it came from the OS. It
59 // actively obtains entropy from the CPU/OS and so should not be called from
60 // within the FIPS module.
61 void CRYPTO_get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
62 int *out_used_cpu);
63
64 // RAND_load_entropy supplies |entropy_len| bytes of entropy to the module. The
65 // |want_additional_input| parameter is true iff the entropy was obtained from
66 // a source other than the system, e.g. directly from the CPU.
67 void RAND_load_entropy(const uint8_t *entropy, size_t entropy_len,
68 int want_additional_input);
69
70 // RAND_need_entropy is implemented outside of the FIPS module and is called
71 // when the module has stopped because it has run out of entropy.
72 void RAND_need_entropy(size_t bytes_needed);
73
74 #endif // BORINGSSL_FIPS
75
76 // CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating
77 // system.
78 void CRYPTO_sysrand(uint8_t *buf, size_t len);
79
80 // CRYPTO_sysrand_for_seed fills |len| bytes at |buf| with entropy from the
81 // operating system. It may draw from the |GRND_RANDOM| pool on Android,
82 // depending on the vendor's configuration.
83 void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len);
84
85 #if defined(OPENSSL_RAND_URANDOM) || defined(OPENSSL_RAND_WINDOWS)
86 // CRYPTO_init_sysrand initializes long-lived resources needed to draw entropy
87 // from the operating system.
88 void CRYPTO_init_sysrand(void);
89 #else
CRYPTO_init_sysrand(void)90 OPENSSL_INLINE void CRYPTO_init_sysrand(void) {}
91 #endif // defined(OPENSSL_RAND_URANDOM) || defined(OPENSSL_RAND_WINDOWS)
92
93 #if defined(OPENSSL_RAND_URANDOM)
94 // CRYPTO_sysrand_if_available fills |len| bytes at |buf| with entropy from the
95 // operating system, or early /dev/urandom data, and returns 1, _if_ the entropy
96 // pool is initialized or if getrandom() is not available and not in FIPS mode.
97 // Otherwise it will not block and will instead fill |buf| with all zeros and
98 // return 0.
99 int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len);
100 #else
CRYPTO_sysrand_if_available(uint8_t * buf,size_t len)101 OPENSSL_INLINE int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {
102 CRYPTO_sysrand(buf, len);
103 return 1;
104 }
105 #endif // defined(OPENSSL_RAND_URANDOM)
106
107 // rand_fork_unsafe_buffering_enabled returns whether fork-unsafe buffering has
108 // been enabled via |RAND_enable_fork_unsafe_buffering|.
109 int rand_fork_unsafe_buffering_enabled(void);
110
111 // CTR_DRBG_STATE contains the state of a CTR_DRBG based on AES-256. See SP
112 // 800-90Ar1.
113 struct ctr_drbg_state_st {
114 AES_KEY ks;
115 block128_f block;
116 ctr128_f ctr;
117 uint8_t counter[16];
118 uint64_t reseed_counter;
119 };
120
121 // CTR_DRBG_init initialises |*drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of
122 // entropy in |entropy| and, optionally, a personalization string up to
123 // |CTR_DRBG_ENTROPY_LEN| bytes in length. It returns one on success and zero
124 // on error.
125 OPENSSL_EXPORT int CTR_DRBG_init(CTR_DRBG_STATE *drbg,
126 const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],
127 const uint8_t *personalization,
128 size_t personalization_len);
129
130 #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
131
have_rdrand(void)132 OPENSSL_INLINE int have_rdrand(void) {
133 return CRYPTO_is_RDRAND_capable();
134 }
135
136 // have_fast_rdrand returns true if RDRAND is supported and it's reasonably
137 // fast. Concretely the latter is defined by whether the chip is Intel (fast) or
138 // not (assumed slow).
have_fast_rdrand(void)139 OPENSSL_INLINE int have_fast_rdrand(void) {
140 return CRYPTO_is_RDRAND_capable() && CRYPTO_is_intel_cpu();
141 }
142
143 // CRYPTO_rdrand writes eight bytes of random data from the hardware RNG to
144 // |out|. It returns one on success or zero on hardware failure.
145 int CRYPTO_rdrand(uint8_t out[8]);
146
147 // CRYPTO_rdrand_multiple8_buf fills |len| bytes at |buf| with random data from
148 // the hardware RNG. The |len| argument must be a multiple of eight. It returns
149 // one on success and zero on hardware failure.
150 int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len);
151
152 #else // OPENSSL_X86_64 && !OPENSSL_NO_ASM
153
have_rdrand(void)154 OPENSSL_INLINE int have_rdrand(void) {
155 return 0;
156 }
157
have_fast_rdrand(void)158 OPENSSL_INLINE int have_fast_rdrand(void) {
159 return 0;
160 }
161
162 #endif // OPENSSL_X86_64 && !OPENSSL_NO_ASM
163
164
165 #if defined(__cplusplus)
166 } // extern C
167 #endif
168
169 #endif // OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
170