aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/entropy
Commit message (Collapse)AuthorAgeFilesLines
* Remove "Dirty hack" for multiple defines in lex_me_harder()Simon Warta2017-04-029-9/+27
|
* Always poll 256 bytes from Getentropy.Alexander Bluhm2017-03-301-3/+4
| | | | | | The OpenBSD system limit for getentropy(2) is 256 bytes. It does not make sense to use the BOTAN_SYSTEM_RNG_POLL_REQUEST define here. As it is only used in one place, another define would be overkill.
* Disable entropy proc_walk on OpenBSD.Alexander Bluhm2017-03-301-1/+0
| | | | | The /proc file system was disabled for years. With OpenBSD 5.7 the implementation has been removed from the kernel sources.
* Use getentropy(2) as random source.Alexander Bluhm2017-03-294-0/+78
| | | | | | | | Gather entropy from system call getentropy(2). This is available since in OpenBSD 5.6 and Solaris 11.3. It can provide up to 256 bytes entropy from the kernel without blocking. As a system call it does not need a file descriptor and works in chroot(2) environments without device nodes.
* Small fixes in API docs [ci skip]René Korthaus2017-03-091-3/+3
|
* Merge GH #813 Remove obsolete entropy source infoJack Lloyd2017-01-061-18/+0
|\
| * removed two more obsolete entropy source referencesDaniel Neus2017-01-061-14/+0
| |
| * Remove obsolete hres_timer includeDaniel Neus2017-01-061-4/+0
| | | | | | | | module doesn't exist anymore
* | Return 0 bits in Darwin_SecRandom::poll on SecRandomCopyBytes failureDaniel Neus2017-01-061-0/+2
|/
* Add os iosSimon Warta2017-01-031-0/+2
|
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-183-4/+4
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Remove <source> block from info.txt filesJack Lloyd2016-12-087-29/+1
| | | | | | Kind of a vestigial thing from an earlier iteration of the module design, and never useful to specify anymore since taking all the cpp files is what you want exactly 100% of the time.
* define NOMINMAX 1 before every include of windows.hBaruch Burstein2016-11-282-2/+2
|
* Compile fixJack Lloyd2016-11-031-1/+1
|
* Remove unused values from build.hJack Lloyd2016-11-031-1/+3
| | | | | | | Have the /proc setting in build.h actually control the entropy source configuration (!) GH #708
* Remove HMAC_RNG, X9.31-RNG, BeOS stats, EGD reader, Unix process runnerJack Lloyd2016-10-2811-855/+0
| | | | | Change AutoSeeded_RNG to use SHA-384, SHA-256, SHA-3(256), or SHA-1, whichever is available (in that order).
* Fix handling of file descriptor zeroJack Lloyd2016-10-221-13/+11
| | | | | If opening /dev/*random resulted in fd 0, we would both not use that RNG and leak the file descriptor. Found with Coverity.
* Fix doxygen warnings [ci skip]René Korthaus2016-10-192-5/+7
|
* Add ISA annotations to functions using SIMD, AES, etcJack Lloyd2016-10-141-0/+1
| | | | | | | | Also emit `#pragma GCC target` in the ISA specific amalgamation files. This allows compiling without any special compiler flags, at least with GCC 6.2 and Clang 3.8. The ISA annotations are ignored in MSVC, which just emits whatever instruction the intrinsic requires.
* Abstract out mutex type. Make threads optional.Jack Lloyd2016-10-126-9/+9
|
* The implicit constructor does not specify a provider.slaviber2016-10-071-1/+1
| | | | | | With no provider specified, Win32_CAPI_EntropySource::poll does not call ::CryptGenRandom and returns 0, leading to subsequent PRNG_Unseeded exceptions.
* Fix entropy source selection logic on WindowsJack Lloyd2016-10-041-1/+2
| | | | Fixes GH #644
* Make Windows happyJack Lloyd2016-08-282-2/+2
|
* Travis CI additions and cleanupJack Lloyd2016-08-282-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Convert Travis build configuration to a single var instead of 4 tuple. Makes it much easier to review the builds in the Travis web UI. Adds sanitizer builds for Clang on both Linux and OS X. Clang is a different compiler from GCC and its sanitizers may catch things GCC does not. I have no idea if Apple's Clang has some magic sanitizer sauce stock LLVM does not, so maybe sanitizer build on OS X can be skipped. Adds Linux cross compile targets for ARM32, ARM64, PPC64, and MinGW x86 using the cross compiler available in Trusty. All of them build and are set up to run through qemu/wine. All of the tests currently fail and so are marked as expected fail in the Travis matrix. The ARM test runs seem to have thread problems; ARM32 thread creation just fails with an exception, as if pthreads was disabled. All other tests pass ok for ARM32. On Aarch64, it looks like there is a hard crash the first time the library tries creating a thread. Both of these might be due to statically linking the binary? I have been unable to convince Ubuntu's qemu-ppc64 to execute binaries compiled by Ubuntu's ppc64 cross compiler. I'm downloading an Ubuntu ISO to try this in a VM. Running under Wine exposes several issues, both in Wine and Botan. Many functions are stubs and it appears that entropy collection fails as a result. This triggers a bug in the FFI tests which causes a crash there. A pox on time zones; _mkgmtime is a MSVC extension and is not available on MinGW GCC. Add a last resort call that just uses the localzone variant instead. Adds valgrind target, remove a bogus poison in pubkey.cpp (it was effectively asserting that all of RSA was const time which is sadly not true at all). Moves -Wshadow to maintainer mode for GCC - GCC 4.8 has a noisy variant of -Wshadow which warns if a parameter masks a function name, but this comes up all the time in constructors. Later GCCs no longer warn about this (even with -Wshadow), so the warnings are never fixed, but they cause noise in CI output and hide interesting warnings like warning: vec_lvsl is deprecated for little endian; use assignment for unaligned loads and stores [-Wdeprecated] __vector unsigned char perm = vec_lvsl(0, static_cast<u32bit*>(nullptr));
* RNG changes (GH #593)Jack Lloyd2016-08-241-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change reseed interval logic to count calls to `randomize` rather than bytes, to match SP 800-90A Changes RNG reseeding API: there is no implicit reference to the global entropy sources within the RNGs anymore. The entropy sources must be supplied with the API call. Adds support for reseding directly from another RNG (such as a system or hardware RNG). Stateful_RNG keeps optional references to both an RNG and a set of entropy sources. During a reseed, both sources are used if set. These can be provided to HMAC_DRBG constructor. For HMAC_DRBG, SP800-90A requires we output no more than 2**16 bytes per DRBG request. We treat requests longer than that as if the caller had instead made several sequential maximum-length requests. This means it is possible for one or more reseeds to trigger even in the course of generating a single (long) output (generate a 256-bit key and use ChaCha or HKDF if this is a problem). Adds RNG::randomize_with_ts_input which takes timestamps and uses them as the additional_data DRBG field. Stateful_RNG overrides this to also include the process ID and the reseed counter. AutoSeeded_RNG's `randomize` uses this. Officially deprecates RNG::make_rng and the Serialized_RNG construtor which creates an AutoSeeded_RNG. With these removed, it would be possible to perform a build with no AutoSeeded_RNG/HMAC_DRBG at all (eg, for applications which only use the system RNG). Tests courtesy @cordney in GH PRs #598 and #600
* Add RDRAND_RNGJack Lloyd2016-07-192-39/+9
| | | | | | | | For those that are willing to trust uninspectible hardware. :) Changes RDRAND entropy source to call RDRAND_RNG Add --rdrand flag to rng cmdlet
* Compile fixJack Lloyd2016-07-181-1/+1
|
* Fix proc_walk - would always return 0 entropy collected.Jack Lloyd2016-07-182-7/+10
| | | | | | Fix BeOS stat reader - was calling wrong function on the rng. Remove entropy estimate defines from build.h, no longer used.
* Fix assignmentJack Lloyd2016-07-171-1/+1
|
* Revamp entropy pollingJack Lloyd2016-07-1726-373/+275
| | | | | Remove Entropy_Accumulator, instead have entropy sources directly add entropy to the RNG.
* Move poll logic to Entropy_SourcesJack Lloyd2016-07-172-3/+26
|
* Add Stateful_RNGJack Lloyd2016-07-174-28/+61
| | | | | | | | | | | | | | Handles fork checking for HMAC_RNG and HMAC_DRBG AutoSeeded_RNG change - switch to HMAC_DRBG as default. Start removing the io buffer from entropy poller. Update default RNG poll bits to 256. Fix McEliece test, was using wrong RNG API. Update docs.
* Fix SecRandomCopyBytes call with older OS X SDKsJack Lloyd2016-07-151-0/+1
| | | | | | | | | | In 10.8 (and presumably older) versions, the header for SecRandomCopyBytes is SecRandom.h, and Security.h does not include SecRandom.h With this change, the include of Security.h may be redundant for all versions, but I have no way to test this. GH #528
* Trivial warning fixesJack Lloyd2016-03-092-2/+2
|
* Merge GH #373 RDRAND/RDSEED logic changesJack Lloyd2016-03-062-34/+35
|\ | | | | | | The Intel RNG may fail if heavily contended, so retry as needed.
| * move logic back into poll()Daniel Neus2016-01-262-60/+36
| | | | | | | | prevents filtering out any 0x00000000 outputs from RDRAND/RDSEED
| * review changesDaniel Neus2015-12-214-37/+39
| | | | | | | | | | | | | | | | * no spaces around if(), for() etc * snake_case for plain functions * anonymous namespace function instead private and static * don't propagate failed poll to the calling application * RdRand retires configurable in build.h
| * RdRand and RdSeed logic changesDaniel Neus2015-12-204-36/+59
| | | | | | | | | | * Make it configurable how often RdRand and RdSeed is polled * Make it configurable how many RdSeed retries are executed
* | Remaining cppcheck fixes that are not covered by GH #444Daniel Neus2016-03-051-2/+2
| |
* | cppcheck fixes: Class 'X' has a constructor with 1 argument that is not ↵Daniel Neus2016-03-054-5/+5
| | | | | | | | explicit.
* | GlobalMemoryStatusEx is on XP GH #419Jack Lloyd2016-02-091-2/+2
| |
* | Add explicit fork check to HMAC_RNGJack Lloyd2016-02-072-72/+6
| | | | | | | | | | | | | | | | | | | | | | Add OS functions get_process_id, get_processor_timestamp, and get_system_timestamp_ns. HMAC_RNG uses the pid call to detect forks to initiate a reseed. It also adds the output of all three functions (the pid, the CPU cycle counter, and the system timestamp) into the PRF input. Calls the new OS timer functions from hres_timer entropy source. Removes the call to QPC in es_win32 which is mostly redundant with the one in hres_timer.
* | Revert GH #365 Replace deprecated Win API calls in Win32_EntropySourceJack Lloyd2016-02-061-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Thinking it over I've realized this was not a good move; XP may be EOLed but is still widely used and even VS 2015 still supports targeting XP. It's not really the same situation as going to extra efforts for supporting SunOS 5.1 or VAX/VMS, instead it actively broke support for something which is still widely deployed. And for those building for XP the options are patch out the call (GH #416) or disable win32_stats altogether in their build. I'd like to prevent downstream distributors from having to patch, because that can get messy. And while the design of CryptGenRandom is not disclosed it apparently has changed over time and at one point (IIRC) used RC4 to generate outputs, so if there is any OS that could use some extra help generating seed material it is XP. There may be future code that really makes use of APIs added after XP - CryptoNG, TPM support, etc and then people targetting XP will have to compile out those modules. But it doesn't make sense to break it here for this small gain.
* | Make Entropy_Sources and Entropy_Accumulator final.Jack Lloyd2016-01-171-4/+2
| | | | | | | | Remove bogus virtual destructor on Entropy_Accumulator (has no virtuals)
* | Merge GH #365 Replace deprecated Windows API calls in Win32_EntropySourceJack Lloyd2016-01-131-3/+3
|\ \ | | | | | | | | | | | | | | | By adopting MemoryStatusEx, this drops support for XP and Server 2003 which do not implement this API. This is considered a feature as these versions are already EOLed by Microsoft.
| * | Replace deprecated Win API calls in Win32_EntropySourceDaniel Neus2015-12-161-3/+3
| | | | | | | | | | | | | | | * GetTickCount is replaced by GetTickCount64(): see https://msdn.microsoft.com/en-us/library/windows/desktop/ms724408(v=vs.85).aspx for details * GlobalMemoryStatus is replaced by GlobalMemoryStatusEx: see https://msdn.microsoft.com/en-us/library/windows/desktop/aa366589(v=vs.85).aspx for details
* | | Add final attribute to many classesJack Lloyd2016-01-1011-12/+12
| | | | | | | | | | | | | | | | | | | | | In some cases this can offer better optimization, via devirtualization. And it lets the user know the class is not intended for derivation. Some discussion in GH #402
* | | Mass-prefix member vars with m_René Korthaus2016-01-084-28/+28
| |/ |/|
* | Move estimate of RDRAND/RDSEED entropy to build.hJack Lloyd2015-12-192-22/+2
| | | | | | | | GH #370 for background
* | add support for Intel RdSeedDaniel Neus2015-12-184-0/+118
| |