1 /* Microsoft Reference Implementation for TPM 2.0
2  *
3  *  The copyright in this software is being made available under the BSD License,
4  *  included below. This software may be subject to other third party and
5  *  contributor rights, including patent rights, and no such rights are granted
6  *  under this license.
7  *
8  *  Copyright (c) Microsoft Corporation
9  *
10  *  All rights reserved.
11  *
12  *  BSD License
13  *
14  *  Redistribution and use in source and binary forms, with or without modification,
15  *  are permitted provided that the following conditions are met:
16  *
17  *  Redistributions of source code must retain the above copyright notice, this list
18  *  of conditions and the following disclaimer.
19  *
20  *  Redistributions in binary form must reproduce the above copyright notice, this
21  *  list of conditions and the following disclaimer in the documentation and/or
22  *  other materials provided with the distribution.
23  *
24  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ""AS IS""
25  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
27  *  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
28  *  ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
29  *  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
30  *  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
31  *  ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
32  *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  *  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 //** Introduction
36 // This file contains constant definition shared by CryptUtil and the parts
37 // of the Crypto Engine.
38 //
39 
40 #ifndef _CRYPT_RAND_H
41 #define _CRYPT_RAND_H
42 
43 
44 //** DRBG Structures and Defines
45 
46 // Values and structures for the random number generator. These values are defined
47 // in this header file so that the size of the RNG state can be known to TPM.lib.
48 // This allows the allocation of some space in NV memory for the state to
49 // be stored on an orderly shutdown.
50 
51 // The DRBG based on a symmetric block cipher is defined by three values,
52 // 1) the key size
53 // 2) the block size (the IV size)
54 // 3) the symmetric algorithm
55 
56 #define DRBG_KEY_SIZE_BITS      AES_MAX_KEY_SIZE_BITS
57 #define DRBG_IV_SIZE_BITS       (AES_MAX_BLOCK_SIZE * 8)
58 #define DRBG_ALGORITHM          TPM_ALG_AES
59 
60 
61 typedef tpmKeyScheduleAES     DRBG_KEY_SCHEDULE;
62 #define DRBG_ENCRYPT_SETUP(key, keySizeInBits, schedule)        \
63             TpmCryptSetEncryptKeyAES(key, keySizeInBits, schedule)
64 #define DRBG_ENCRYPT(keySchedule, in, out)                      \
65             TpmCryptEncryptAES(SWIZZLE(keySchedule, in, out))
66 
67 #if     ((DRBG_KEY_SIZE_BITS % RADIX_BITS) != 0) \
68     || ((DRBG_IV_SIZE_BITS % RADIX_BITS) != 0)
69 #error "Key size and IV for DRBG must be even multiples of the radix"
70 #endif
71 #if (DRBG_KEY_SIZE_BITS % DRBG_IV_SIZE_BITS) != 0
72 #error "Key size for DRBG must be even multiple of the cypher block size"
73 #endif
74 
75 // Derived values
76 #define DRBG_MAX_REQUESTS_PER_RESEED (1 << 48)
77 #define DRBG_MAX_REQEST_SIZE (1 << 32)
78 
79 #define pDRBG_KEY(seed)    ((DRBG_KEY *)&(((BYTE *)(seed))[0]))
80 #define pDRBG_IV(seed)     ((DRBG_IV *)&(((BYTE *)(seed))[DRBG_KEY_SIZE_BYTES]))
81 
82 #define DRBG_KEY_SIZE_WORDS     (BITS_TO_CRYPT_WORDS(DRBG_KEY_SIZE_BITS))
83 #define DRBG_KEY_SIZE_BYTES     (DRBG_KEY_SIZE_WORDS * RADIX_BYTES)
84 
85 #define DRBG_IV_SIZE_WORDS      (BITS_TO_CRYPT_WORDS(DRBG_IV_SIZE_BITS))
86 #define DRBG_IV_SIZE_BYTES      (DRBG_IV_SIZE_WORDS * RADIX_BYTES)
87 
88 #define DRBG_SEED_SIZE_WORDS    (DRBG_KEY_SIZE_WORDS + DRBG_IV_SIZE_WORDS)
89 #define DRBG_SEED_SIZE_BYTES    (DRBG_KEY_SIZE_BYTES + DRBG_IV_SIZE_BYTES)
90 
91 
92 typedef union
93 {
94     BYTE            bytes[DRBG_KEY_SIZE_BYTES];
95     crypt_uword_t   words[DRBG_KEY_SIZE_WORDS];
96 } DRBG_KEY;
97 
98 typedef union
99 {
100     BYTE            bytes[DRBG_IV_SIZE_BYTES];
101     crypt_uword_t   words[DRBG_IV_SIZE_WORDS];
102 } DRBG_IV;
103 
104 typedef union
105 {
106     BYTE            bytes[DRBG_SEED_SIZE_BYTES];
107     crypt_uword_t   words[DRBG_SEED_SIZE_WORDS];
108 } DRBG_SEED;
109 
110 #define CTR_DRBG_MAX_REQUESTS_PER_RESEED        ((UINT64)1 << 20)
111 #define CTR_DRBG_MAX_BYTES_PER_REQUEST          (1 << 16)
112 
113 #   define CTR_DRBG_MIN_ENTROPY_INPUT_LENGTH    DRBG_SEED_SIZE_BYTES
114 #   define CTR_DRBG_MAX_ENTROPY_INPUT_LENGTH    DRBG_SEED_SIZE_BYTES
115 #   define CTR_DRBG_MAX_ADDITIONAL_INPUT_LENGTH DRBG_SEED_SIZE_BYTES
116 
117 #define     TESTING         (1 << 0)
118 #define     ENTROPY         (1 << 1)
119 #define     TESTED          (1 << 2)
120 
121 #define     IsTestStateSet(BIT)    ((g_cryptoSelfTestState.rng & BIT) != 0)
122 #define     SetTestStateBit(BIT)   (g_cryptoSelfTestState.rng |= BIT)
123 #define     ClearTestStateBit(BIT) (g_cryptoSelfTestState.rng &= ~BIT)
124 
125 #define     IsSelfTest()    IsTestStateSet(TESTING)
126 #define     SetSelfTest()   SetTestStateBit(TESTING)
127 #define     ClearSelfTest() ClearTestStateBit(TESTING)
128 
129 #define     IsEntropyBad()      IsTestStateSet(ENTROPY)
130 #define     SetEntropyBad()     SetTestStateBit(ENTROPY)
131 #define     ClearEntropyBad()   ClearTestStateBit(ENTROPY)
132 
133 #define     IsDrbgTested()      IsTestStateSet(TESTED)
134 #define     SetDrbgTested()     SetTestStateBit(TESTED)
135 #define     ClearDrbgTested()   ClearTestStateBit(TESTED)
136 
137 typedef struct
138 {
139     UINT64      reseedCounter;
140     UINT32      magic;
141     DRBG_SEED   seed; // contains the key and IV for the counter mode DRBG
142     UINT32      lastValue[4];   // used when the TPM does continuous self-test
143                                 // for FIPS compliance of DRBG
144 } DRBG_STATE, *pDRBG_STATE;
145 #define DRBG_MAGIC   ((UINT32) 0x47425244) // "DRBG" backwards so that it displays
146 
147 typedef struct KDF_STATE {
148     UINT64               counter;
149     UINT32               magic;
150     UINT32               limit;
151     TPM2B               *seed;
152     const TPM2B         *label;
153     TPM2B               *context;
154     TPM_ALG_ID           hash;
155     TPM_ALG_ID           kdf;
156     UINT16               digestSize;
157     TPM2B_DIGEST         residual;
158 } KDF_STATE, *pKDR_STATE;
159 #define KDF_MAGIC    ((UINT32) 0x4048444a) // "KDF " backwards
160 
161 // Make sure that any other structures added to this union start with a 64-bit
162 // counter and a 32-bit magic number
163 typedef union
164 {
165     DRBG_STATE      drbg;
166     KDF_STATE       kdf;
167 } RAND_STATE;
168 
169 // This is the state used when the library uses a random number generator.
170 // A special function is installed for the library to call. That function
171 // picks up the state from this location and uses it for the generation
172 // of the random number.
173 extern RAND_STATE           *s_random;
174 
175 // When instrumenting RSA key sieve
176 #if  RSA_INSTRUMENT
177 #define PRIME_INDEX(x)  ((x) == 512 ? 0 : (x) == 1024 ? 1 : 2)
178 #   define INSTRUMENT_SET(a, b) ((a) = (b))
179 #   define INSTRUMENT_ADD(a, b) (a) = (a) + (b)
180 #   define INSTRUMENT_INC(a)    (a) = (a) + 1
181 
182 extern UINT32  PrimeIndex;
183 extern UINT32  failedAtIteration[10];
184 extern UINT32  PrimeCounts[3];
185 extern UINT32  MillerRabinTrials[3];
186 extern UINT32  totalFieldsSieved[3];
187 extern UINT32  bitsInFieldAfterSieve[3];
188 extern UINT32  emptyFieldsSieved[3];
189 extern UINT32  noPrimeFields[3];
190 extern UINT32  primesChecked[3];
191 extern UINT16  lastSievePrime;
192 #else
193 #   define INSTRUMENT_SET(a, b)
194 #   define INSTRUMENT_ADD(a, b)
195 #   define INSTRUMENT_INC(a)
196 #endif
197 
198 #endif // _CRYPT_RAND_H
199