Move estimate of RDRAND/RDSEED entropy to build.h

GH #370 for background

3 files changed, 15 insertions, 22 deletions

diff --git a/src/build-data/buildh.in b/src/build-data/buildh.in
index be097d78b..c6c4f9064 100644
--- a/src/build-data/buildh.in
+++ b/src/build-data/buildh.in
@@ -165,9 +165,22 @@
 // Human readable text which has entropy
 #define BOTAN_ENTROPY_ESTIMATE_SYSTEM_TEXT (1.0 / 64)
 
+/*
+The output of a hardware RNG such as RDRAND / RDSEED
+
+By default such RNGs are used but not trusted, so that the standard
+softare-based entropy polling is still used.
+*/
+#define BOTAN_ENTROPY_ESTIMATE_HARDWARE_RNG 0.0
+
 // The output of a PRNG we are trusting to be strong
 #define BOTAN_ENTROPY_ESTIMATE_STRONG_RNG 7.0
 
+
+/*
+* Compiler and target specific flags
+*/
+
 /* Should we use GCC-style inline assembler? */
 #if !defined(BOTAN_USE_GCC_INLINE_ASM) && defined(__GNUG__)
   #define BOTAN_USE_GCC_INLINE_ASM 1
diff --git a/src/lib/entropy/rdrand/rdrand.cpp b/src/lib/entropy/rdrand/rdrand.cpp
index 178c52798..24fe98cf8 100644
--- a/src/lib/entropy/rdrand/rdrand.cpp
+++ b/src/lib/entropy/rdrand/rdrand.cpp
@@ -22,16 +22,6 @@ void Intel_Rdrand::poll(Entropy_Accumulator& accum)
    if(!CPUID::has_rdrand())
       return;
 
-   /*
-   Don't consider rdrand as contributing any entropy to the poll. It doesn't
-   make sense to trust uninspectible hardware.
-
-   Even if backdoored, rdrand cannot harm us because the HMAC_RNG poll process
-   is designed to handle arbitrarily large amounts of attacker known/chosen
-   input (or even a reseed where every bit we reseeded with was attacker chosen),
-   as long as at least one seed occurred with enough unknown-to-attacker entropy.
-   */
-   const double ENTROPY_ESTIMATE = 0.0;
    const size_t RDRAND_POLLS = 32;
 
    for(size_t i = 0; i != RDRAND_POLLS; ++i)
@@ -49,7 +39,7 @@ void Intel_Rdrand::poll(Entropy_Accumulator& accum)
 #endif
 
       if(cf == 1)
-         accum.add(r, ENTROPY_ESTIMATE);
+         accum.add(r, BOTAN_ENTROPY_ESTIMATE_HARDWARE_RNG);
       }
    }
 
diff --git a/src/lib/entropy/rdseed/rdseed.cpp b/src/lib/entropy/rdseed/rdseed.cpp
index 8bdd79a1d..91306769d 100644
--- a/src/lib/entropy/rdseed/rdseed.cpp
+++ b/src/lib/entropy/rdseed/rdseed.cpp
@@ -22,16 +22,6 @@ void Intel_Rdseed::poll(Entropy_Accumulator& accum)
    if(!CPUID::has_rdseed())
       return;
 
-   /*
-   Don't consider rdseed as contributing any entropy to the poll. It doesn't
-   make sense to trust uninspectible hardware.
-
-   Even if backdoored, rdseed cannot harm us because the HMAC_RNG poll process
-   is designed to handle arbitrarily large amounts of attacker known/chosen
-   input (or even a reseed where every bit we reseeded with was attacker chosen),
-   as long as at least one seed occurred with enough unknown-to-attacker entropy.
-   */
-   const double ENTROPY_ESTIMATE = 0.0;
    const size_t RDSEED_POLLS = 32;
 
    for(size_t i = 0; i != RDSEED_POLLS; ++i)
@@ -49,7 +39,7 @@ void Intel_Rdseed::poll(Entropy_Accumulator& accum)
 #endif
 
       if(cf == 1)
-         accum.add(r, ENTROPY_ESTIMATE);
+         accum.add(r, BOTAN_ENTROPY_ESTIMATE_HARDWARE_RNG);
       }
    }