diff options
| author | Jack Lloyd <[email protected]> | 2015-11-24 17:51:59 -0500 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2015-11-24 17:51:59 -0500 |
| commit | 5f208fab1890e2ad64b52306eccd82f031425c7a (patch) | |
| tree | 6bbbf1408e10538e441e3d603d80ebb2cabc6a78 /src/build-data/buildh.in | |
| parent | bf59ffc4de374d7b27b7ab400789ab2723131b7a (diff) | |
New reseed_with_sources call on RNGs
Provides an easier way for an application to configure a list of
entropy sources they'd like to use, or add a custom entropy source to
their seeding.
Exposes some toggles for the global/default entropy sources to build.h
Adds basic entropy tests which runs the polls and does sanity checking
on the results, including compression tests if available. These are
less useful for the CSPRNG outputs but a good check for the ones
producing plain ASCII like the /proc reader.
Diffstat (limited to 'src/build-data/buildh.in')
| -rw-r--r-- | src/build-data/buildh.in | 37 |
1 files changed, 35 insertions, 2 deletions
diff --git a/src/build-data/buildh.in b/src/build-data/buildh.in index 31277ff0c..a289fbcd8 100644 --- a/src/build-data/buildh.in +++ b/src/build-data/buildh.in @@ -101,10 +101,43 @@ * RNGs will automatically poll the system for additional seed material * after producing this many bytes of output. */ -#define BOTAN_RNG_MAX_OUTPUT_BEFORE_RESEED 512 +#define BOTAN_RNG_MAX_OUTPUT_BEFORE_RESEED 4096 #define BOTAN_RNG_RESEED_POLL_BITS 128 #define BOTAN_RNG_AUTO_RESEED_TIMEOUT std::chrono::milliseconds(10) -#define BOTAN_RNG_RESEED_DEFAULT_TIMEOUT std::chrono::milliseconds(100) +#define BOTAN_RNG_RESEED_DEFAULT_TIMEOUT std::chrono::milliseconds(50) + +/* +* Specifies (in order) the list of entropy sources that will be used +* to seed an in-memory RNG. The first few in the default list +* ("timer", "proc_info", etc) do not count as contributing any entropy +* but are included as they are fast and help protect against a +* seriously broken system RNG. +*/ +#define BOTAN_ENTROPY_DEFAULT_SOURCES \ + { "timestamp", "rdrand", "proc_info", \ + "darwin_secrandom", "dev_random", "win32_cryptoapi", "egd", \ + "proc_walk", "system_stats", "unix_procs" } + +/* +* These control the RNG used by the system RNG interface +*/ +#define BOTAN_SYSTEM_RNG_DEVICE "/dev/urandom" +#define BOTAN_SYSTEM_RNG_CRYPTOAPI_PROV_TYPE PROV_RSA_FULL + +/* +* These paramaters control how many bytes to read from the system +* PRNG, and how long to block if applicable. +* +* Timeout is ignored on Windows as CryptGenRandom doesn't block +*/ +#define BOTAN_SYSTEM_RNG_POLL_DEVICES { "/dev/urandom", "/dev/random", "/dev/srandom" } + +#define BOTAN_SYSTEM_RNG_POLL_REQUEST 64 +#define BOTAN_SYSTEM_RNG_POLL_TIMEOUT_MS 20 + +#define BOTAN_ENTROPY_EGD_PATHS { "/var/run/egd-pool", "/dev/egd-pool" } +#define BOTAN_ENTROPY_PROC_FS_PATH "/proc" +#define BOTAN_ENTROPY_SAFE_PATHS { "/bin", "/sbin", "/usr/bin", "/usr/sbin" } /* Should we use GCC-style inline assembler? */ #if !defined(BOTAN_USE_GCC_INLINE_ASM) && defined(__GNUG__) |