Merge pull request #805 from dgarske/rng_cleanup

Fix RNG issue with Intel RD and cleanup to remove old ARC4 support
2017-04-03 14:57:09 -07:00 · 2017-04-03 14:57:09 -07:00 · 68076dee45
commit 68076dee45
parent e168d4db09 d69c860ab8
7 changed files with 488 additions and 539 deletions
--- a/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h
+++ b/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h
@ -278,17 +278,21 @@ extern "C" {
 /* Size of returned HW RNG value */
 #define CUSTOM_RAND_TYPE      unsigned int

+/* Seed source */
+extern unsigned int custom_rand_generate(void);
+#undef  CUSTOM_RAND_GENERATE
+#define CUSTOM_RAND_GENERATE  custom_rand_generate
+
 /* Choose RNG method */
 #if 1
    /* Use built-in P-RNG (SHA256 based) with HW RNG */
    /* P-RNG + HW RNG (P-RNG is ~8K) */
    #undef  HAVE_HASHDRBG
    #define HAVE_HASHDRBG
-
-    extern unsigned int custom_rand_generate(void);
-    #undef  CUSTOM_RAND_GENERATE
-    #define CUSTOM_RAND_GENERATE  custom_rand_generate
 #else
+    #undef  WC_NO_HASHDRBG
+    #define WC_NO_HASHDRBG
+
    /* Bypass P-RNG and use only HW RNG */
    extern int custom_rand_generate_block(unsigned char* output, unsigned int sz);
    #undef  CUSTOM_RAND_GENERATE_BLOCK
--- a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp
+++ b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp
@ -122,12 +122,26 @@
        recurse="Yes" />
      <file file_name="user_settings.h" />
      <file file_name="README.md" />
-      <folder
-        Name="source"
-        exclude=""
-        filter=""
-        path="../../src"
-        recurse="No" />
+      <folder Name="source">
+        <file file_name="../../src/bio.c">
+          <configuration Name="ARM_Debug" build_exclude_from_build="Yes" />
+        </file>
+        <file file_name="../../src/crl.c" />
+        <file file_name="../../src/include.am" />
+        <file file_name="../../src/internal.c" />
+        <file file_name="../../src/io.c" />
+        <file file_name="../../src/keys.c" />
+        <file file_name="../../src/libwolfssl.la" />
+        <file file_name="../../src/ocsp.c" />
+        <file file_name="../../src/sniffer.c" />
+        <file file_name="../../src/src_libwolfssl_la-internal.lo" />
+        <file file_name="../../src/src_libwolfssl_la-io.lo" />
+        <file file_name="../../src/src_libwolfssl_la-keys.lo" />
+        <file file_name="../../src/src_libwolfssl_la-ssl.lo" />
+        <file file_name="../../src/src_libwolfssl_la-tls.lo" />
+        <file file_name="../../src/ssl.c" />
+        <file file_name="../../src/tls.c" />
+      </folder>
    </folder>
  </project>
  <project Name="test">
--- a/configure.ac
+++ b/configure.ac
@ -228,7 +228,7 @@ fi


 AC_ARG_ENABLE([rng],
-    [AS_HELP_STRING([  --enable-rng       Enable compiling and using RNG (default: enabled)])],
+    [AS_HELP_STRING([--enable-rng            Enable compiling and using RNG (default: enabled)])],
    [ ENABLED_RNG=$enableval ],
    [ ENABLED_RNG=yes ]
    )
@ -334,7 +334,7 @@ AM_CONDITIONAL([BUILD_IPV6], [test "x$ENABLED_IPV6" = "xyes"])

 # wpa_supplicant support
 AC_ARG_ENABLE([wpas],
-    [  --enable-wpas         Enable wpa_supplicant support (default: disabled)],
+    [  --enable-wpas           Enable wpa_supplicant support (default: disabled)],
    [ ENABLED_WPAS=$enableval ],
    [ ENABLED_WPAS=no ]
    )
@ -613,7 +613,7 @@ fi

 AM_CONDITIONAL([BUILD_ARMASM], [test "x$ENABLED_ARMASM" = "xyes"])

-# AES-NI
+# INTEL AES-NI
 AC_ARG_ENABLE([aesni],
    [AS_HELP_STRING([--enable-aesni],[Enable wolfSSL AES-NI support (default: disabled)])],
    [ ENABLED_AESNI=$enableval ],
@ -627,6 +627,7 @@ AC_ARG_ENABLE([intelasm],
    [ ENABLED_INTELASM=no ]
    )

+
 if test "$ENABLED_AESNI" = "yes" || test "$ENABLED_INTELASM" = "yes"
 then
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AESNI"
@ -644,10 +645,22 @@ fi

 if test "$ENABLED_INTELASM" = "yes"
 then
-    AM_CFLAGS="$AM_CFLAGS -DHAVE_INTEL_RDGEN -DUSE_INTEL_SPEEDUP"
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_INTEL_RDSEED -DUSE_INTEL_SPEEDUP"
    ENABLED_AESNI=yes
 fi

+# INTEL RDRAND
+AC_ARG_ENABLE([intelrand],
+    [AS_HELP_STRING([--enable-intelrand],[Enable Intel rdrand as preferred RNG source (default: disabled)])],
+    [ ENABLED_INTELRDRAND=$enableval ],
+    [ ENABLED_INTELRDRAND=no ]
+    )
+
+if test "$ENABLED_INTELRDRAND" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_INTEL_RDRAND"
+fi
+
 AM_CONDITIONAL([BUILD_AESNI], [test "x$ENABLED_AESNI" = "xyes"])


@ -1683,11 +1696,13 @@ if test "x$ENABLED_HASHDRBG" = "xyes"
 then
    AM_CFLAGS="$AM_CFLAGS -DHAVE_HASHDRBG"
 else
-    # turn on Hash DRBG if FIPS is on or ARC4 is off
-    if test "x$ENABLED_FIPS" = "xyes" || test "x$ENABLED_ARC4" = "xno"
+    # turn on Hash DRBG if FIPS is on
+    if test "x$ENABLED_FIPS" = "xyes"
    then
        AM_CFLAGS="$AM_CFLAGS -DHAVE_HASHDRBG"
        ENABLED_HASHDRBG=yes
+    else
+        AM_CFLAGS="$AM_CFLAGS -DWC_NO_HASHDRBG"
    fi
 fi

@ -2024,7 +2039,7 @@ AC_ARG_ENABLE([maxfragment],

 # ALPN
 AC_ARG_ENABLE([alpn],
-    [  --enable-alpn            Enable ALPN (default: disabled)],
+    [  --enable-alpn           Enable ALPN (default: disabled)],
    [ ENABLED_ALPN=$enableval ],
    [ ENABLED_ALPN=no ]
    )
@ -2962,7 +2977,7 @@ AM_CONDITIONAL([BUILD_MCAPI], [test "x$ENABLED_MCAPI" = "xyes"])

 # Asynchronous Crypto
 AC_ARG_ENABLE([asynccrypt],
-    [  --enable-asynccrypt    Enable Asynchronous Crypto (default: disabled)],
+    [  --enable-asynccrypt     Enable Asynchronous Crypto (default: disabled)],
    [ ENABLED_ASYNCCRYPT=$enableval ],
    [ ENABLED_ASYNCCRYPT=no ]
    )
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@ -1025,8 +1025,7 @@ int base64_test()
 int asn_test()
 {
 #ifndef NO_ASN_TIME
-    {
-    time_t now;
+    long now;

    /* Parameter Validation tests. */
    if (wc_GetTime(NULL, sizeof(now)) != BAD_FUNC_ARG)
@ -1039,7 +1038,6 @@ int asn_test()
        return -102;
    if (now == 0)
        return -103;
-    }
 #endif

    return 0;
@ -5047,7 +5045,7 @@ exit:
    return ret;
 }

-#if (defined(HAVE_HASHDRBG) || defined(NO_RC4)) && !defined(CUSTOM_RAND_GENERATE_BLOCK)
+#if defined(HAVE_HASHDRBG) && !defined(CUSTOM_RAND_GENERATE_BLOCK)

 int random_test(void)
 {
@ -5126,17 +5124,15 @@ int random_test(void)
    return 0;
 }

-#else /* (HAVE_HASHDRBG || NO_RC4) && !CUSTOM_RAND_GENERATE_BLOCK */
+#else

 int random_test(void)
 {
    /* Basic RNG generate block test */
-    random_rng_test();
-
-    return 0;
+    return random_rng_test();
 }

-#endif /* (HAVE_HASHDRBG || NO_RC4) && !CUSTOM_RAND_GENERATE_BLOCK */
+#endif /* HAVE_HASHDRBG && !CUSTOM_RAND_GENERATE_BLOCK */
 #endif /* WC_NO_RNG */


--- a/wolfssl/wolfcrypt/random.h
+++ b/wolfssl/wolfcrypt/random.h
@ -35,44 +35,71 @@
    extern "C" {
 #endif

-/* Maximum generate block length */
-#define RNG_MAX_BLOCK_LEN (0x10000)
+ /* Maximum generate block length */
+#ifndef RNG_MAX_BLOCK_LEN
+    #define RNG_MAX_BLOCK_LEN (0x10000)
+#endif
+
+/* Size of the BRBG seed */
+#ifndef DRBG_SEED_LEN
+    #define DRBG_SEED_LEN (440/8)
+#endif
+
+
+#if defined(CUSTOM_RAND_GENERATE) && !defined(CUSTOM_RAND_TYPE)
+    /* To maintain compatibility the default is byte */
+    #define CUSTOM_RAND_TYPE    byte
+#endif
+
+/* make sure Hash DRBG is enabled, unless WC_NO_HASHDRBG is defined
+    or CUSTOM_RAND_GENERATE_BLOCK is defined*/
+#if !defined(WC_NO_HASHDRBG) || !defined(CUSTOM_RAND_GENERATE_BLOCK)
+    #undef  HAVE_HASHDRBG
+    #define HAVE_HASHDRBG
+#endif
+

 #ifndef HAVE_FIPS /* avoid redefining structs and macros */

-#if defined(WOLFSSL_FORCE_RC4_DRBG) && defined(NO_RC4)
-    #error Cannot have WOLFSSL_FORCE_RC4_DRBG and NO_RC4 defined.
-#endif /* WOLFSSL_FORCE_RC4_DRBG && NO_RC4 */
-
-
 /* RNG supports the following sources (in order):
 * 1. CUSTOM_RAND_GENERATE_BLOCK: Defines name of function as RNG source and
- *     bypasses the P-RNG.
- * 2. HAVE_HASHDRBG && !NO_SHA256 (SHA256 enabled): Uses SHA256 based P-RNG
+ *     bypasses the options below.
+ * 2. HAVE_INTEL_RDRAND: Uses the Intel RDRAND if supported by CPU.
+ * 3. HAVE_HASHDRBG (requires SHA256 enabled): Uses SHA256 based P-RNG
 *     seeded via wc_GenerateSeed. This is the default source.
- * 3. !NO_RC4 (RC4 enabled): Uses RC4
 */

+ /* Seed source can be overriden by defining one of these:
+      CUSTOM_RAND_GENERATE_SEED
+      CUSTOM_RAND_GENERATE_SEED_OS
+      CUSTOM_RAND_GENERATE */
+
+
 #if defined(CUSTOM_RAND_GENERATE_BLOCK)
    /* To use define the following:
     * #define CUSTOM_RAND_GENERATE_BLOCK myRngFunc
     * extern int myRngFunc(byte* output, word32 sz);
     */
-#elif (defined(HAVE_HASHDRBG) || defined(NO_RC4))
+#elif defined(HAVE_HASHDRBG)
    #ifdef NO_SHA256
        #error "Hash DRBG requires SHA-256."
    #endif /* NO_SHA256 */
-
    #include <wolfssl/wolfcrypt/sha256.h>
+#elif defined(HAVE_WNR)
+     /* allow whitewood as direct RNG source using wc_GenerateSeed directly */
 #else
-    #include <wolfssl/wolfcrypt/arc4.h>
+    #error No RNG source defined!
 #endif

-
 #ifdef HAVE_WNR
    #include <wnr.h>
 #endif

+#ifdef WOLFSSL_ASYNC_CRYPT
+    #include <wolfssl/wolfcrypt/async.h>
+#endif
+
+
 #if defined(USE_WINDOWS_API)
    #if defined(_WIN64)
        typedef unsigned __int64 ProviderHandle;
@ -98,46 +125,25 @@ typedef struct OS_Seed {
    #define WC_RNG_TYPE_DEFINED
 #endif

-#if (defined(HAVE_HASHDRBG) || defined(NO_RC4)) && !defined(CUSTOM_RAND_GENERATE_BLOCK)
-
-#define DRBG_SEED_LEN (440/8)
-
-
-struct DRBG; /* Private DRBG state */
-
-
-/* Hash-based Deterministic Random Bit Generator */
-struct WC_RNG {
-    struct DRBG* drbg;
-    OS_Seed seed;
-    void* heap;
-    byte status;
-};
-
-
-
-#else /* (HAVE_HASHDRBG || NO_RC4) && !CUSTOM_RAND_GENERATE_BLOCK */
-
-#ifdef WOLFSSL_ASYNC_CRYPT
-    #include <wolfssl/wolfcrypt/async.h>
+#ifdef HAVE_HASHDRBG
+    /* Private DRBG state */
+    struct DRBG;
 #endif

-/* secure Random Number Generator */
-
-
+/* RNG context */
 struct WC_RNG {
    OS_Seed seed;
-#ifndef NO_RC4
-    Arc4    cipher;
+    void* heap;
+#ifdef HAVE_HASHDRBG
+    /* Hash-based Deterministic Random Bit Generator */
+    struct DRBG* drbg;
+    byte status;
 #endif
 #ifdef WOLFSSL_ASYNC_CRYPT
    AsyncCryptDev asyncDev;
 #endif
 };

-
-
-#endif /* (HAVE_HASHDRBG || NO_RC4) && !CUSTOM_RAND_GENERATE_BLOCK */
 #endif /* HAVE_FIPS */

 /* NO_OLD_RNGNAME removes RNG struct name to prevent possible type conflicts,
@ -146,6 +152,7 @@ struct WC_RNG {
    #define RNG WC_RNG
 #endif

+
 WOLFSSL_LOCAL
 int wc_GenerateSeed(OS_Seed* os, byte* seed, word32 sz);

@ -164,12 +171,12 @@ WOLFSSL_API int  wc_RNG_GenerateByte(WC_RNG*, byte*);
 WOLFSSL_API int  wc_FreeRng(WC_RNG*);


-#if defined(HAVE_HASHDRBG) || defined(NO_RC4)
+#ifdef HAVE_HASHDRBG
    WOLFSSL_API int wc_RNG_HealthTest(int reseed,
                                        const byte* entropyA, word32 entropyASz,
                                        const byte* entropyB, word32 entropyBSz,
                                        byte* output, word32 outputSz);
-#endif /* HAVE_HASHDRBG || NO_RC4 */
+#endif /* HAVE_HASHDRBG */

 #ifdef __cplusplus
    } /* extern "C" */
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@ -1405,12 +1405,6 @@ extern void uITRON4_free(void *p) ;
    #define WOLFSSL_MIN_AUTH_TAG_SZ 12
 #endif

-/* If not forcing ARC4 as the DRBG or using custom RNG block gen, enable Hash_DRBG */
-#undef HAVE_HASHDRBG
-#if !defined(WOLFSSL_FORCE_RC4_DRBG) && !defined(CUSTOM_RAND_GENERATE_BLOCK)
-    #define HAVE_HASHDRBG
-#endif
-

 /* sniffer requires:
 * static RSA cipher suites