wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-05 13:44:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix RNG issue with Intel RDRAND and RDSEED accelerations not being used because HAVE_HASHDRBG was always being defined if !WOLFSSL_FORCE_RC4_DRBG. Added new --enable-intelrand option to indicate use of RDRAND preference for RNG source (if RDRAND not supported by CPU then HASHDRBG will be used). The --enable-intelasm option enables the RDSEED support for seeding HASHDRBG if CPU supports it. Allow use of seed as RNG source if --disable-hashdbrg (shows build warning). Cleanup to remove old ARC4 RNG support. Fixed random_test return code with !HAVE_HASHDRBG. Cleanup of ./configure --help alignment.

Browse Source
This commit is contained in:
David Garske
2017-03-17 13:29:03 -07:00
parent ccad9f5575
commit 5e3d8e705e
5 changed files with 428 additions and 480 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
configure.ac
View File

@@ -228,7 +228,7 @@ fi
AC_ARG_ENABLE([rng], AC_ARG_ENABLE([rng],
[AS_HELP_STRING([ --enable-rng Enable compiling and using RNG (default: enabled)])], [AS_HELP_STRING([--enable-rng Enable compiling and using RNG (default: enabled)])],
[ ENABLED_RNG=$enableval ], [ ENABLED_RNG=$enableval ],
[ ENABLED_RNG=yes ] [ ENABLED_RNG=yes ]
) )
@@ -334,7 +334,7 @@ AM_CONDITIONAL([BUILD_IPV6], [test "x$ENABLED_IPV6" = "xyes"])
# wpa_supplicant support # wpa_supplicant support
AC_ARG_ENABLE([wpas], AC_ARG_ENABLE([wpas],
[ --enable-wpas Enable wpa_supplicant support (default: disabled)], [ --enable-wpas Enable wpa_supplicant support (default: disabled)],
[ ENABLED_WPAS=$enableval ], [ ENABLED_WPAS=$enableval ],
[ ENABLED_WPAS=no ] [ ENABLED_WPAS=no ]
) )
@@ -612,7 +612,7 @@ fi
AM_CONDITIONAL([BUILD_ARMASM], [test "x$ENABLED_ARMASM" = "xyes"]) AM_CONDITIONAL([BUILD_ARMASM], [test "x$ENABLED_ARMASM" = "xyes"])
# AES-NI # INTEL AES-NI
AC_ARG_ENABLE([aesni], AC_ARG_ENABLE([aesni],
[AS_HELP_STRING([--enable-aesni],[Enable wolfSSL AES-NI support (default: disabled)])], [AS_HELP_STRING([--enable-aesni],[Enable wolfSSL AES-NI support (default: disabled)])],
[ ENABLED_AESNI=$enableval ], [ ENABLED_AESNI=$enableval ],
@@ -626,6 +626,7 @@ AC_ARG_ENABLE([intelasm],
[ ENABLED_INTELASM=no ] [ ENABLED_INTELASM=no ]
) )
if test "$ENABLED_AESNI" = "yes" || test "$ENABLED_INTELASM" = "yes" if test "$ENABLED_AESNI" = "yes" || test "$ENABLED_INTELASM" = "yes"
then then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AESNI" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AESNI"
@@ -643,10 +644,22 @@ fi
if test "$ENABLED_INTELASM" = "yes" if test "$ENABLED_INTELASM" = "yes"
then then
AM_CFLAGS="$AM_CFLAGS -DHAVE_INTEL_RDGEN -DUSE_INTEL_SPEEDUP" AM_CFLAGS="$AM_CFLAGS -DHAVE_INTEL_RDSEED -DUSE_INTEL_SPEEDUP"
ENABLED_AESNI=yes ENABLED_AESNI=yes
fi fi
# INTEL RDRAND
AC_ARG_ENABLE([intelrand],
[AS_HELP_STRING([--enable-intelrand],[Enable Intel rdrand as preferred RNG source (default: disabled)])],
[ ENABLED_INTELRDRAND=$enableval ],
[ ENABLED_INTELRDRAND=no ]
)
if test "$ENABLED_INTELRDRAND" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_INTEL_RDRAND"
fi
AM_CONDITIONAL([BUILD_AESNI], [test "x$ENABLED_AESNI" = "xyes"]) AM_CONDITIONAL([BUILD_AESNI], [test "x$ENABLED_AESNI" = "xyes"])
@@ -1678,7 +1691,7 @@ then
AM_CFLAGS="$AM_CFLAGS -DHAVE_HASHDRBG" AM_CFLAGS="$AM_CFLAGS -DHAVE_HASHDRBG"
else else
# turn on Hash DRBG if FIPS is on or ARC4 is off # turn on Hash DRBG if FIPS is on or ARC4 is off
if test "x$ENABLED_FIPS" = "xyes" || test "x$ENABLED_ARC4" = "xno" if test "x$ENABLED_FIPS" = "xyes"
then then
AM_CFLAGS="$AM_CFLAGS -DHAVE_HASHDRBG" AM_CFLAGS="$AM_CFLAGS -DHAVE_HASHDRBG"
ENABLED_HASHDRBG=yes ENABLED_HASHDRBG=yes
@@ -2018,7 +2031,7 @@ AC_ARG_ENABLE([maxfragment],
# ALPN # ALPN
AC_ARG_ENABLE([alpn], AC_ARG_ENABLE([alpn],
[ --enable-alpn Enable ALPN (default: disabled)], [ --enable-alpn Enable ALPN (default: disabled)],
[ ENABLED_ALPN=$enableval ], [ ENABLED_ALPN=$enableval ],
[ ENABLED_ALPN=no ] [ ENABLED_ALPN=no ]
) )
@@ -2956,7 +2969,7 @@ AM_CONDITIONAL([BUILD_MCAPI], [test "x$ENABLED_MCAPI" = "xyes"])
# Asynchronous Crypto # Asynchronous Crypto
AC_ARG_ENABLE([asynccrypt], AC_ARG_ENABLE([asynccrypt],
[ --enable-asynccrypt Enable Asynchronous Crypto (default: disabled)], [ --enable-asynccrypt Enable Asynchronous Crypto (default: disabled)],
[ ENABLED_ASYNCCRYPT=$enableval ], [ ENABLED_ASYNCCRYPT=$enableval ],
[ ENABLED_ASYNCCRYPT=no ] [ ENABLED_ASYNCCRYPT=no ]
) )

795
wolfcrypt/src/random.c
View File

File diff suppressed because it is too large Load Diff

10
wolfcrypt/test/test.c
View File

@@ -5047,7 +5047,7 @@ exit:
return ret; return ret;
} }
#if (defined(HAVE_HASHDRBG) || defined(NO_RC4)) && !defined(CUSTOM_RAND_GENERATE_BLOCK) #if defined(HAVE_HASHDRBG) && !defined(CUSTOM_RAND_GENERATE_BLOCK)
int random_test(void) int random_test(void)
{ {
@@ -5126,17 +5126,15 @@ int random_test(void)
return 0; return 0;
} }
#else /* (HAVE_HASHDRBG || NO_RC4) && !CUSTOM_RAND_GENERATE_BLOCK */ #else
int random_test(void) int random_test(void)
{ {
/* Basic RNG generate block test */ /* Basic RNG generate block test */
random_rng_test(); return random_rng_test();
return 0;
} }
#endif /* (HAVE_HASHDRBG || NO_RC4) && !CUSTOM_RAND_GENERATE_BLOCK */ #endif /* HAVE_HASHDRBG && !CUSTOM_RAND_GENERATE_BLOCK */
#endif /* WC_NO_RNG */ #endif /* WC_NO_RNG */

70
wolfssl/wolfcrypt/random.h
View File

@@ -36,43 +36,59 @@
#endif #endif
/* Maximum generate block length */ /* Maximum generate block length */
#define RNG_MAX_BLOCK_LEN (0x10000) #ifndef RNG_MAX_BLOCK_LEN
#define RNG_MAX_BLOCK_LEN (0x10000)
#endif
#if defined(CUSTOM_RAND_GENERATE) && !defined(CUSTOM_RAND_TYPE)
/* To maintain compatibility the default is byte */
#define CUSTOM_RAND_TYPE byte
#endif
#ifndef HAVE_FIPS /* avoid redefining structs and macros */ #ifndef HAVE_FIPS /* avoid redefining structs and macros */
#if defined(WOLFSSL_FORCE_RC4_DRBG) && defined(NO_RC4)
#error Cannot have WOLFSSL_FORCE_RC4_DRBG and NO_RC4 defined.
#endif /* WOLFSSL_FORCE_RC4_DRBG && NO_RC4 */
/* RNG supports the following sources (in order): /* RNG supports the following sources (in order):
* 1. CUSTOM_RAND_GENERATE_BLOCK: Defines name of function as RNG source and * 1. CUSTOM_RAND_GENERATE_BLOCK: Defines name of function as RNG source and
* bypasses the P-RNG. * bypasses the options below.
* 2. HAVE_HASHDRBG && !NO_SHA256 (SHA256 enabled): Uses SHA256 based P-RNG * 2. HAVE_INTEL_RDRAND: Uses the Intel RDRAND if supported by CPU.
* 3. HAVE_HASHDRBG (requires SHA256 enabled): Uses SHA256 based P-RNG
* seeded via wc_GenerateSeed. This is the default source. * seeded via wc_GenerateSeed. This is the default source.
* 3. !NO_RC4 (RC4 enabled): Uses RC4 * 4. Fallback to using wc_GenerateSeed directly.
*/ */
/* Seed source can be overriden by defining one of these:
CUSTOM_RAND_GENERATE_SEED
CUSTOM_RAND_GENERATE_SEED_OS
CUSTOM_RAND_GENERATE */
#if defined(CUSTOM_RAND_GENERATE_BLOCK) #if defined(CUSTOM_RAND_GENERATE_BLOCK)
/* To use define the following: /* To use define the following:
* #define CUSTOM_RAND_GENERATE_BLOCK myRngFunc * #define CUSTOM_RAND_GENERATE_BLOCK myRngFunc
* extern int myRngFunc(byte* output, word32 sz); * extern int myRngFunc(byte* output, word32 sz);
*/ */
#elif (defined(HAVE_HASHDRBG) || defined(NO_RC4)) #elif defined(HAVE_HASHDRBG)
#ifdef NO_SHA256 #ifdef NO_SHA256
#error "Hash DRBG requires SHA-256." #error "Hash DRBG requires SHA-256."
#endif /* NO_SHA256 */ #endif /* NO_SHA256 */
#include <wolfssl/wolfcrypt/sha256.h> #include <wolfssl/wolfcrypt/sha256.h>
#elif defined(HAVE_INTEL_RDRAND)
#elif defined(HAVE_WNR)
#else #else
#include <wolfssl/wolfcrypt/arc4.h> #warning No RNG source defined. Using wc_GenerateSeed directly
#endif #endif
#ifdef HAVE_WNR #ifdef HAVE_WNR
#include <wnr.h> #include <wnr.h>
#endif #endif
#ifdef WOLFSSL_ASYNC_CRYPT
#include <wolfssl/wolfcrypt/async.h>
#endif
#if defined(USE_WINDOWS_API) #if defined(USE_WINDOWS_API)
#if defined(_WIN64) #if defined(_WIN64)
typedef unsigned __int64 ProviderHandle; typedef unsigned __int64 ProviderHandle;
@@ -98,46 +114,26 @@ typedef struct OS_Seed {
#define WC_RNG_TYPE_DEFINED #define WC_RNG_TYPE_DEFINED
#endif #endif
#if (defined(HAVE_HASHDRBG) || defined(NO_RC4)) && !defined(CUSTOM_RAND_GENERATE_BLOCK) #ifndef CUSTOM_RAND_GENERATE_BLOCK
#define DRBG_SEED_LEN (440/8) #define DRBG_SEED_LEN (440/8)
struct DRBG; /* Private DRBG state */ struct DRBG; /* Private DRBG state */
/* Hash-based Deterministic Random Bit Generator */ /* Hash-based Deterministic Random Bit Generator */
struct WC_RNG { struct WC_RNG {
#ifdef HAVE_HASHDRBG
struct DRBG* drbg; struct DRBG* drbg;
byte status;
#endif
OS_Seed seed; OS_Seed seed;
void* heap; void* heap;
byte status;
};
#else /* (HAVE_HASHDRBG || NO_RC4) && !CUSTOM_RAND_GENERATE_BLOCK */
#ifdef WOLFSSL_ASYNC_CRYPT
#include <wolfssl/wolfcrypt/async.h>
#endif
/* secure Random Number Generator */
struct WC_RNG {
OS_Seed seed;
#ifndef NO_RC4
Arc4 cipher;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
AsyncCryptDev asyncDev; AsyncCryptDev asyncDev;
#endif #endif
}; };
#endif /* !CUSTOM_RAND_GENERATE_BLOCK */
#endif /* (HAVE_HASHDRBG || NO_RC4) && !CUSTOM_RAND_GENERATE_BLOCK */
#endif /* HAVE_FIPS */ #endif /* HAVE_FIPS */
/* NO_OLD_RNGNAME removes RNG struct name to prevent possible type conflicts, /* NO_OLD_RNGNAME removes RNG struct name to prevent possible type conflicts,

6
wolfssl/wolfcrypt/settings.h
View File

@@ -1405,12 +1405,6 @@ extern void uITRON4_free(void *p) ;
#define WOLFSSL_MIN_AUTH_TAG_SZ 12 #define WOLFSSL_MIN_AUTH_TAG_SZ 12
#endif #endif
/* If not forcing ARC4 as the DRBG or using custom RNG block gen, enable Hash_DRBG */
#undef HAVE_HASHDRBG
#if !defined(WOLFSSL_FORCE_RC4_DRBG) && !defined(CUSTOM_RAND_GENERATE_BLOCK)
#define HAVE_HASHDRBG
#endif
/* sniffer requires: /* sniffer requires:
* static RSA cipher suites * static RSA cipher suites