112238SN/A/* 212238SN/A * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 312238SN/A * 412238SN/A * Licensed under the Apache License 2.0 (the "License"). You may not use 512238SN/A * this file except in compliance with the License. You can obtain a copy 612238SN/A * in the file LICENSE in the source distribution or at 712238SN/A * https://www.openssl.org/source/license.html 812238SN/A */ 912238SN/A 1012238SN/A#ifndef OSSL_PROVIDER_RAND_POOL_H 1112238SN/A# define OSSL_PROVIDER_RAND_POOL_H 1212238SN/A# pragma once 1312238SN/A 1412238SN/A# include <stdio.h> 1512238SN/A# include <openssl/rand.h> 1612238SN/A 1712238SN/A/* 1812238SN/A * Maximum allocation size for RANDOM_POOL buffers 1912238SN/A * 2012238SN/A * The max_len value for the buffer provided to the rand_drbg_get_entropy() 2112238SN/A * callback is currently 2^31 bytes (2 gigabytes), if a derivation function 2212238SN/A * is used. Since this is much too large to be allocated, the ossl_rand_pool_new() 2312238SN/A * function chooses more modest values as default pool length, bounded 2412238SN/A * by RAND_POOL_MIN_LENGTH and RAND_POOL_MAX_LENGTH 2512238SN/A * 2612238SN/A * The choice of the RAND_POOL_FACTOR is large enough such that the 2712238SN/A * RAND_POOL can store a random input which has a lousy entropy rate of 2812238SN/A * 8/256 (= 0.03125) bits per byte. This input will be sent through the 2912238SN/A * derivation function which 'compresses' the low quality input into a 3012238SN/A * high quality output. 3112238SN/A * 3212238SN/A * The factor 1.5 below is the pessimistic estimate for the extra amount 3312238SN/A * of entropy required when no get_nonce() callback is defined. 3412238SN/A */ 3512238SN/A# define RAND_POOL_FACTOR 256 3612238SN/A# define RAND_POOL_MAX_LENGTH (RAND_POOL_FACTOR * \ 3712238SN/A 3 * (RAND_DRBG_STRENGTH / 16)) 3812238SN/A/* 3912238SN/A * = (RAND_POOL_FACTOR * \ 4012238SN/A * 1.5 * (RAND_DRBG_STRENGTH / 8)) 4113760Snaoto */ 4212238SN/A 4312238SN/A/* 4412238SN/A * Initial allocation minimum. 4512238SN/A * 4612238SN/A * There is a distinction between the secure and normal allocation minimums. 4712238SN/A * Ideally, the secure allocation size should be a power of two. The normal 4812238SN/A * allocation size doesn't have any such restriction. 4912238SN/A * 5012238SN/A * The secure value is based on 128 bits of secure material, which is 16 bytes. 5112238SN/A * Typically, the DRBGs will set a minimum larger than this so optimal 5212238SN/A * allocation ought to take place (for full quality seed material). 5312238SN/A * 5412238SN/A * The normal value has been chosen by noticing that the rand_drbg_get_nonce 5512238SN/A * function is usually the largest of the built in allocation (twenty four 5612238SN/A * bytes and then appending another sixteen bytes). This means the buffer ends 5712238SN/A * with 40 bytes. The value of forty eight is comfortably above this which 5812238SN/A * allows some slack in the platform specific values used. 5912238SN/A */ 6012238SN/A# define RAND_POOL_MIN_ALLOCATION(secure) ((secure) ? 16 : 48) 6112238SN/A 6212238SN/A/* 6312238SN/A * The 'random pool' acts as a dumb container for collecting random 6412238SN/A * input from various entropy sources. It is the callers duty to 1) initialize 6512238SN/A * the random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and 6612238SN/A * 4) cleanup the random pool again. 6712238SN/A * 6812238SN/A * The random pool contains no locking mechanism because its scope and 6912238SN/A * lifetime is intended to be restricted to a single stack frame. 7012238SN/A */ 7112238SN/Atypedef struct rand_pool_st { 7212238SN/A unsigned char *buffer; /* points to the beginning of the random pool */ 7312238SN/A size_t len; /* current number of random bytes contained in the pool */ 7412238SN/A 7512238SN/A int attached; /* true pool was attached to existing buffer */ 7612238SN/A int secure; /* 1: allocated on the secure heap, 0: otherwise */ 7712238SN/A 7812238SN/A size_t min_len; /* minimum number of random bytes requested */ 7912238SN/A size_t max_len; /* maximum number of random bytes (allocated buffer size) */ 8012238SN/A size_t alloc_len; /* current number of bytes allocated */ 8112238SN/A size_t entropy; /* current entropy count in bits */ 82 size_t entropy_requested; /* requested entropy count in bits */ 83} RAND_POOL; 84 85RAND_POOL *ossl_rand_pool_new(int entropy_requested, int secure, 86 size_t min_len, size_t max_len); 87RAND_POOL *ossl_rand_pool_attach(const unsigned char *buffer, size_t len, 88 size_t entropy); 89void ossl_rand_pool_free(RAND_POOL *pool); 90 91const unsigned char *ossl_rand_pool_buffer(RAND_POOL *pool); 92unsigned char *ossl_rand_pool_detach(RAND_POOL *pool); 93void ossl_rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer); 94 95size_t ossl_rand_pool_entropy(RAND_POOL *pool); 96size_t ossl_rand_pool_length(RAND_POOL *pool); 97 98size_t ossl_rand_pool_entropy_available(RAND_POOL *pool); 99size_t ossl_rand_pool_entropy_needed(RAND_POOL *pool); 100/* |entropy_factor| expresses how many bits of data contain 1 bit of entropy */ 101size_t ossl_rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_factor); 102size_t ossl_rand_pool_bytes_remaining(RAND_POOL *pool); 103 104int ossl_rand_pool_add(RAND_POOL *pool, 105 const unsigned char *buffer, size_t len, size_t entropy); 106unsigned char *ossl_rand_pool_add_begin(RAND_POOL *pool, size_t len); 107int ossl_rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy); 108 109#endif /* OSSL_PROVIDER_RAND_POOL_H */ 110