Branch data     Line data    Source code

       1                 :            : /*
       2                 :            :  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
       3                 :            :  *
       4                 :            :  * Licensed under the Apache License, Version 2.0 (the "License").
       5                 :            :  * You may not use this file except in compliance with the License.
       6                 :            :  * A copy of the License is located at
       7                 :            :  *
       8                 :            :  *  http://aws.amazon.com/apache2.0
       9                 :            :  *
      10                 :            :  * or in the "license" file accompanying this file. This file is distributed
      11                 :            :  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
      12                 :            :  * express or implied. See the License for the specific language governing
      13                 :            :  * permissions and limitations under the License.
      14                 :            :  */
      15                 :            : 
      16                 :            : #pragma once
      17                 :            : 
      18                 :            : #include <openssl/evp.h>
      19                 :            : 
      20                 :            : #include "crypto/s2n_hash.h"
      21                 :            : #include "utils/s2n_blob.h"
      22                 :            : #include "utils/s2n_result.h"
      23                 :            : 
      24                 :  450114828 : #define S2N_DRBG_BLOCK_SIZE    16
      25                 :            : #define S2N_DRBG_MAX_KEY_SIZE  32
      26                 :            : #define S2N_DRBG_MAX_SEED_SIZE (S2N_DRBG_BLOCK_SIZE + S2N_DRBG_MAX_KEY_SIZE)
      27                 :            : 
      28                 :            : /* The maximum size of any one request: from NIST SP800-90A 10.2.1 Table 3 */
      29                 :            : #define S2N_DRBG_GENERATE_LIMIT 8192
      30                 :            : 
      31                 :            : struct s2n_drbg {
      32                 :            :     /* Track how many bytes have been used */
      33                 :            :     uint64_t bytes_used;
      34                 :            : 
      35                 :            :     EVP_CIPHER_CTX *ctx;
      36                 :            : 
      37                 :            :     /* The current DRBG 'value' */
      38                 :            :     uint8_t v[S2N_DRBG_BLOCK_SIZE];
      39                 :            : 
      40                 :            :     /* Used only by the unit tests: how many times has entropy been mixed in */
      41                 :            :     uint64_t mixes;
      42                 :            : };
      43                 :            : 
      44                 :            : /*
      45                 :            :  * S2N_AES_128_CTR_NO_DF_PR is a deterministic random bit generator using AES 128 in counter mode (AES_128_CTR). It does not
      46                 :            :  * use a derivation function (NO_DF) on the seed but does have prediction resistance (PR).
      47                 :            :  *
      48                 :            :  * S2N_AES_256_CTR_NO_DF_PR is a deterministic random bit generator using AES 256 in counter mode (AES_128_CTR). It does not
      49                 :            :  * use a derivation function on the seed but does have prediction resistance.
      50                 :            :  */
      51                 :            : typedef enum {
      52                 :            :     S2N_AES_128_CTR_NO_DF_PR,
      53                 :            :     S2N_AES_256_CTR_NO_DF_PR
      54                 :            : } s2n_drbg_mode;
      55                 :            : 
      56                 :            : /* Per NIST SP 800-90C 6.3
      57                 :            :  *
      58                 :            :  * s2n's DRBG uses prediction resistance and does not support the
      59                 :            :  * additional_input parameter (which per 800-90C may be zero).
      60                 :            :  *
      61                 :            :  * The security strength provided by s2n's DRBG is either 128 or 256 bits
      62                 :            :  * depending on the s2n_drbg_mode passed in.
      63                 :            :  */
      64                 :            : S2N_RESULT s2n_drbg_instantiate(struct s2n_drbg *drbg, struct s2n_blob *personalization_string, const s2n_drbg_mode mode);
      65                 :            : S2N_RESULT s2n_drbg_generate(struct s2n_drbg *drbg, struct s2n_blob *returned_bits);
      66                 :            : S2N_RESULT s2n_drbg_wipe(struct s2n_drbg *drbg);
      67                 :            : S2N_RESULT s2n_drbg_bytes_used(struct s2n_drbg *drbg, uint64_t *bytes_used);
      68                 :            : /* Use for testing only */
      69                 :            : S2N_RESULT s2n_ignore_prediction_resistance_for_testing(bool true_or_false);