ext-cryptopp/osrng.h

305 lines
11 KiB
C
Raw Normal View History

// osrng.h - originally written and placed in the public domain by Wei Dai
2015-11-05 06:59:46 +00:00
/// \file osrng.h
/// \brief Classes for access to the operating system's random number generators
#ifndef CRYPTOPP_OSRNG_H
#define CRYPTOPP_OSRNG_H
2015-11-05 06:59:46 +00:00
#include "config.h"
#if !defined(NO_OS_DEPENDENCE) && defined(OS_RNG_AVAILABLE)
2015-11-05 06:59:46 +00:00
#include "cryptlib.h"
#include "randpool.h"
#include "smartptr.h"
#include "fips140.h"
#include "hkdf.h"
2015-11-05 06:59:46 +00:00
#include "rng.h"
#include "aes.h"
#include "sha.h"
NAMESPACE_BEGIN(CryptoPP)
/// \brief Exception thrown when an operating system error is encountered
2015-11-05 06:59:46 +00:00
class CRYPTOPP_DLL OS_RNG_Err : public Exception
{
public:
/// \brief Constructs an OS_RNG_Err
/// \param operation the operation or API call when the error occurs
2015-11-05 06:59:46 +00:00
OS_RNG_Err(const std::string &operation);
};
#ifdef NONBLOCKING_RNG_AVAILABLE
#ifdef CRYPTOPP_WIN32_AVAILABLE
/// \brief Wrapper for Microsoft crypto service provider
/// \sa \def USE_MS_CRYPTOAPI, \def USE_MS_CNGAPI
2015-11-05 06:59:46 +00:00
class CRYPTOPP_DLL MicrosoftCryptoProvider
{
public:
/// \brief Construct a MicrosoftCryptoProvider
2015-11-05 06:59:46 +00:00
MicrosoftCryptoProvider();
~MicrosoftCryptoProvider();
// type HCRYPTPROV and BCRYPT_ALG_HANDLE, avoid #include <windows.h>
#if defined(USE_MS_CRYPTOAPI)
# if defined(__CYGWIN__) && defined(__x86_64__)
2015-11-05 06:59:46 +00:00
typedef unsigned long long ProviderHandle;
# elif defined(WIN64) || defined(_WIN64)
2015-11-05 06:59:46 +00:00
typedef unsigned __int64 ProviderHandle;
# else
2015-11-05 06:59:46 +00:00
typedef unsigned long ProviderHandle;
# endif
#elif defined(USE_MS_CNGAPI)
typedef void *PVOID;
typedef PVOID ProviderHandle;
#endif // USE_MS_CRYPTOAPI or USE_MS_CNGAPI
2015-11-05 06:59:46 +00:00
/// \brief Retrieves the provider handle
/// \return CryptoAPI provider handle
/// \details If USE_MS_CRYPTOAPI is in effect, then CryptAcquireContext()
2020-04-02 12:29:45 +00:00
/// acquires then handle and CryptReleaseContext() releases the handle
/// upon destruction. If USE_MS_CNGAPI is in effect, then
/// BCryptOpenAlgorithmProvider() acquires then handle and
/// BCryptCloseAlgorithmProvider() releases the handle upon destruction.
2015-11-05 06:59:46 +00:00
ProviderHandle GetProviderHandle() const {return m_hProvider;}
2015-11-05 06:59:46 +00:00
private:
ProviderHandle m_hProvider;
};
#if defined(_MSC_VER) && defined(USE_MS_CRYPTOAPI)
2015-11-05 06:59:46 +00:00
# pragma comment(lib, "advapi32.lib")
#endif
#if defined(_MSC_VER) && defined(USE_MS_CNGAPI)
# pragma comment(lib, "bcrypt.lib")
#endif
#endif // CRYPTOPP_WIN32_AVAILABLE
2015-11-05 06:59:46 +00:00
/// \brief Wrapper class for /dev/random and /dev/srandom
/// \details Encapsulates CryptoAPI's CryptGenRandom() or CryptoNG's BCryptGenRandom()
2020-04-02 12:29:45 +00:00
/// on Windows, or /dev/urandom on Unix and compatibles.
2015-11-05 06:59:46 +00:00
class CRYPTOPP_DLL NonblockingRng : public RandomNumberGenerator
{
public:
CRYPTOPP_STATIC_CONSTEXPR const char* StaticAlgorithmName() { return "NonblockingRng"; }
~NonblockingRng();
/// \brief Construct a NonblockingRng
2015-11-05 06:59:46 +00:00
NonblockingRng();
2016-09-10 08:57:48 +00:00
/// \brief Generate random array of bytes
/// \param output the byte buffer
/// \param size the length of the buffer, in bytes
/// \details GenerateIntoBufferedTransformation() calls are routed to GenerateBlock().
2015-11-05 06:59:46 +00:00
void GenerateBlock(byte *output, size_t size);
protected:
#ifdef CRYPTOPP_WIN32_AVAILABLE
MicrosoftCryptoProvider m_Provider;
2015-11-05 06:59:46 +00:00
#else
int m_fd;
#endif
};
#endif
#if defined(BLOCKING_RNG_AVAILABLE) || defined(CRYPTOPP_DOXYGEN_PROCESSING)
2015-11-05 06:59:46 +00:00
/// \brief Wrapper class for /dev/random and /dev/srandom
/// \details Encapsulates /dev/random on Linux, OS X and Unix; and /dev/srandom on the BSDs.
/// \note On Linux the /dev/random interface is effectively deprecated. According to the
2020-04-02 12:29:45 +00:00
/// Kernel Crypto developers, /dev/urandom or getrandom(2) should be used instead. Also
/// see <A HREF="https://lkml.org/lkml/2017/7/20/993">[RFC PATCH v12 3/4] Linux Random
/// Number Generator</A> on the kernel-crypto mailing list.
2015-11-05 06:59:46 +00:00
class CRYPTOPP_DLL BlockingRng : public RandomNumberGenerator
{
public:
CRYPTOPP_STATIC_CONSTEXPR const char* StaticAlgorithmName() { return "BlockingRng"; }
~BlockingRng();
/// \brief Construct a BlockingRng
2015-11-05 06:59:46 +00:00
BlockingRng();
2016-09-10 08:57:48 +00:00
/// \brief Generate random array of bytes
/// \param output the byte buffer
/// \param size the length of the buffer, in bytes
/// \details GenerateIntoBufferedTransformation() calls are routed to GenerateBlock().
2015-11-05 06:59:46 +00:00
void GenerateBlock(byte *output, size_t size);
protected:
int m_fd;
};
#endif
/// OS_GenerateRandomBlock
/// \brief Generate random array of bytes
2021-03-05 03:49:25 +00:00
/// \param blocking specifies whether a blocking or non-blocking generator should be used
/// \param output the byte buffer
/// \param size the length of the buffer, in bytes
/// \details OS_GenerateRandomBlock() uses the underlying operating system's
2020-04-02 12:29:45 +00:00
/// random number generator. On Windows, CryptGenRandom() is called using NonblockingRng.
/// \details On Unix and compatibles, /dev/urandom is called if blocking is false using
2020-04-02 12:29:45 +00:00
/// NonblockingRng. If blocking is true, then either /dev/randomd or /dev/srandom is used
/// by way of BlockingRng, if available.
2015-11-05 06:59:46 +00:00
CRYPTOPP_DLL void CRYPTOPP_API OS_GenerateRandomBlock(bool blocking, byte *output, size_t size);
/// \brief Automatically Seeded Randomness Pool
/// \details This class seeds itself using an operating system provided RNG.
2020-04-02 12:29:45 +00:00
/// AutoSeededRandomPool was suggested by Leonard Janke.
/// \details You should reseed the generator after a fork() to avoid multiple generators
/// with the same internal state.
2015-11-05 06:59:46 +00:00
class CRYPTOPP_DLL AutoSeededRandomPool : public RandomPool
{
public:
CRYPTOPP_STATIC_CONSTEXPR const char* StaticAlgorithmName() { return "AutoSeededRandomPool"; }
~AutoSeededRandomPool() {}
/// \brief Construct an AutoSeededRandomPool
/// \param blocking controls seeding with BlockingRng or NonblockingRng
/// \param seedSize the size of the seed, in bytes
/// \details Use blocking to choose seeding with BlockingRng or NonblockingRng.
2020-04-02 12:29:45 +00:00
/// The parameter is ignored if only one of these is available.
2015-11-05 06:59:46 +00:00
explicit AutoSeededRandomPool(bool blocking = false, unsigned int seedSize = 32)
{Reseed(blocking, seedSize);}
2016-09-10 08:57:48 +00:00
/// \brief Reseed an AutoSeededRandomPool
/// \param blocking controls seeding with BlockingRng or NonblockingRng
/// \param seedSize the size of the seed, in bytes
2015-11-05 06:59:46 +00:00
void Reseed(bool blocking = false, unsigned int seedSize = 32);
};
/// \tparam BLOCK_CIPHER a block cipher
/// \brief Automatically Seeded X9.17 RNG
/// \details AutoSeededX917RNG is from ANSI X9.17 Appendix C, seeded using an OS provided RNG.
2020-04-02 12:29:45 +00:00
/// If 3-key TripleDES (DES_EDE3) is used, then its a X9.17 conforming generator. If AES is
/// used, then its a X9.31 conforming generator.
/// \details Though ANSI X9 prescribes 3-key TripleDES, the template parameter BLOCK_CIPHER
/// can be any BlockTransformation derived class.
/// \details You should reseed the generator after a fork() to avoid multiple generators
/// with the same internal state.
/// \sa X917RNG, DefaultAutoSeededRNG
2015-11-05 06:59:46 +00:00
template <class BLOCK_CIPHER>
class AutoSeededX917RNG : public RandomNumberGenerator, public NotCopyable
{
public:
static std::string StaticAlgorithmName() {
return std::string("AutoSeededX917RNG(") + BLOCK_CIPHER::StaticAlgorithmName() + std::string(")");
}
~AutoSeededX917RNG() {}
/// \brief Construct an AutoSeededX917RNG
/// \param blocking controls seeding with BlockingRng or NonblockingRng
/// \param autoSeed controls auto seeding of the generator
/// \details Use blocking to choose seeding with BlockingRng or NonblockingRng.
2020-04-02 12:29:45 +00:00
/// The parameter is ignored if only one of these is available.
/// \sa X917RNG
2015-11-05 06:59:46 +00:00
explicit AutoSeededX917RNG(bool blocking = false, bool autoSeed = true)
{if (autoSeed) Reseed(blocking);}
/// \brief Reseed an AutoSeededX917RNG
/// \param blocking controls seeding with BlockingRng or NonblockingRng
2020-12-15 08:37:48 +00:00
/// \param input additional entropy to add to the generator
/// \param length the size of the additional entropy, in bytes
/// \details Internally, the generator uses SHA256 to extract the entropy from
2020-04-02 12:29:45 +00:00
/// from the seed and then stretch the material for the block cipher's key
/// and initialization vector.
2020-12-15 08:37:48 +00:00
void Reseed(bool blocking = false, const byte *input = NULLPTR, size_t length = 0);
/// \brief Deterministically reseed an AutoSeededX917RNG for testing
/// \param key the key to use for the deterministic reseeding
/// \param keylength the size of the key, in bytes
/// \param seed the seed to use for the deterministic reseeding
/// \param timeVector a time vector to use for deterministic reseeding
/// \details This is a testing interface for testing purposes, and should \a NOT
2020-04-02 12:29:45 +00:00
/// be used in production.
2015-11-05 06:59:46 +00:00
void Reseed(const byte *key, size_t keylength, const byte *seed, const byte *timeVector);
bool CanIncorporateEntropy() const {return true;}
void IncorporateEntropy(const byte *input, size_t length) {Reseed(false, input, length);}
void GenerateIntoBufferedTransformation(BufferedTransformation &target, const std::string &channel, lword length)
{m_rng->GenerateIntoBufferedTransformation(target, channel, length);}
2015-11-05 06:59:46 +00:00
std::string AlgorithmProvider() const;
2015-11-05 06:59:46 +00:00
private:
member_ptr<RandomNumberGenerator> m_rng;
};
template <class BLOCK_CIPHER>
void AutoSeededX917RNG<BLOCK_CIPHER>::Reseed(const byte *key, size_t keylength, const byte *seed, const byte *timeVector)
{
m_rng.reset(new X917RNG(new typename BLOCK_CIPHER::Encryption(key, keylength), seed, timeVector));
}
template <class BLOCK_CIPHER>
void AutoSeededX917RNG<BLOCK_CIPHER>::Reseed(bool blocking, const byte *input, size_t length)
{
enum {BlockSize=BLOCK_CIPHER::BLOCKSIZE};
enum {KeyLength=BLOCK_CIPHER::DEFAULT_KEYLENGTH};
enum {SeedSize=EnumToInt(BlockSize)+EnumToInt(KeyLength)};
SecByteBlock seed(SeedSize), temp(SeedSize);
const byte label[] = "X9.17 key generation";
const byte *key=NULLPTR;
2015-11-05 06:59:46 +00:00
do
{
OS_GenerateRandomBlock(blocking, temp, temp.size());
HKDF<SHA256> hkdf;
hkdf.DeriveKey(
seed, seed.size(), // derived secret
temp, temp.size(), // instance secret
input, length, // user secret
label, 20 // unique label
);
key = seed + BlockSize;
2015-11-05 06:59:46 +00:00
} // check that seed and key don't have same value
while (memcmp(key, seed, STDMIN((size_t)BlockSize, (size_t)KeyLength)) == 0);
2015-11-05 06:59:46 +00:00
Reseed(key, KeyLength, seed, NULLPTR);
2015-11-05 06:59:46 +00:00
}
template <class BLOCK_CIPHER>
std::string AutoSeededX917RNG<BLOCK_CIPHER>::AlgorithmProvider() const
{
// Hack for now... We need to instantiate one
typename BLOCK_CIPHER::Encryption bc;
return bc.AlgorithmProvider();
}
2015-11-05 06:59:46 +00:00
CRYPTOPP_DLL_TEMPLATE_CLASS AutoSeededX917RNG<AES>;
#if defined(CRYPTOPP_DOXYGEN_PROCESSING)
/// \brief A typedef providing a default generator
/// \details DefaultAutoSeededRNG is a typedef of either AutoSeededX917RNG<AES> or AutoSeededRandomPool.
2020-04-02 12:29:45 +00:00
/// If CRYPTOPP_ENABLE_COMPLIANCE_WITH_FIPS_140_2 is defined, then DefaultAutoSeededRNG is
/// AutoSeededX917RNG<AES>. Otherwise, DefaultAutoSeededRNG is AutoSeededRandomPool.
/// \details You should reseed the generator after a fork() to avoid multiple generators
/// with the same internal state.
class DefaultAutoSeededRNG {}
#else
// AutoSeededX917RNG<AES> in FIPS mode, otherwise it's AutoSeededRandomPool
2015-11-05 06:59:46 +00:00
#if CRYPTOPP_ENABLE_COMPLIANCE_WITH_FIPS_140_2
typedef AutoSeededX917RNG<AES> DefaultAutoSeededRNG;
#else
typedef AutoSeededRandomPool DefaultAutoSeededRNG;
#endif
#endif // CRYPTOPP_DOXYGEN_PROCESSING
2015-11-05 06:59:46 +00:00
NAMESPACE_END
#endif
#endif