2 * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/crypto.h>
12 #include <openssl/err.h>
13 #include <openssl/rand.h>
14 #include <openssl/evp.h>
15 #include "crypto/rand.h"
16 #include <openssl/proverr.h>
17 #include "drbg_local.h"
18 #include "internal/thread_once.h"
19 #include "crypto/cryptlib.h"
20 #include "prov/seeding.h"
21 #include "crypto/rand_pool.h"
22 #include "prov/provider_ctx.h"
23 #include "prov/providercommon.h"
26 * Support framework for NIST SP 800-90A DRBG
28 * See manual page PROV_DRBG(7) for a general overview.
30 * The OpenSSL model is to have new and free functions, and that new
31 * does all initialization. That is not the NIST model, which has
32 * instantiation and un-instantiate, and re-use within a new/free
33 * lifecycle. (No doubt this comes from the desire to support hardware
34 * DRBG, where allocation of resources on something like an HSM is
35 * a much bigger deal than just re-setting an allocated resource.)
38 /* NIST SP 800-90A DRBG recommends the use of a personalization string. */
39 static const char ossl_pers_string
[] = DRBG_DEFAULT_PERS_STRING
;
41 static const OSSL_DISPATCH
*find_call(const OSSL_DISPATCH
*dispatch
,
44 static int rand_drbg_restart(PROV_DRBG
*drbg
);
46 int ossl_drbg_lock(void *vctx
)
48 PROV_DRBG
*drbg
= vctx
;
50 if (drbg
== NULL
|| drbg
->lock
== NULL
)
52 return CRYPTO_THREAD_write_lock(drbg
->lock
);
55 void ossl_drbg_unlock(void *vctx
)
57 PROV_DRBG
*drbg
= vctx
;
59 if (drbg
!= NULL
&& drbg
->lock
!= NULL
)
60 CRYPTO_THREAD_unlock(drbg
->lock
);
63 static int ossl_drbg_lock_parent(PROV_DRBG
*drbg
)
65 void *parent
= drbg
->parent
;
68 && drbg
->parent_lock
!= NULL
69 && !drbg
->parent_lock(parent
)) {
70 ERR_raise(ERR_LIB_PROV
, PROV_R_PARENT_LOCKING_NOT_ENABLED
);
76 static void ossl_drbg_unlock_parent(PROV_DRBG
*drbg
)
78 void *parent
= drbg
->parent
;
80 if (parent
!= NULL
&& drbg
->parent_unlock
!= NULL
)
81 drbg
->parent_unlock(parent
);
84 static int get_parent_strength(PROV_DRBG
*drbg
, unsigned int *str
)
86 OSSL_PARAM params
[2] = { OSSL_PARAM_END
, OSSL_PARAM_END
};
87 void *parent
= drbg
->parent
;
90 if (drbg
->parent_get_ctx_params
== NULL
) {
91 ERR_raise(ERR_LIB_PROV
, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH
);
95 *params
= OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH
, str
);
96 if (!ossl_drbg_lock_parent(drbg
)) {
97 ERR_raise(ERR_LIB_PROV
, PROV_R_UNABLE_TO_LOCK_PARENT
);
100 res
= drbg
->parent_get_ctx_params(parent
, params
);
101 ossl_drbg_unlock_parent(drbg
);
103 ERR_raise(ERR_LIB_PROV
, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH
);
109 static unsigned int get_parent_reseed_count(PROV_DRBG
*drbg
)
111 OSSL_PARAM params
[2] = { OSSL_PARAM_END
, OSSL_PARAM_END
};
112 void *parent
= drbg
->parent
;
115 *params
= OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_COUNTER
, &r
);
116 if (!ossl_drbg_lock_parent(drbg
)) {
117 ERR_raise(ERR_LIB_PROV
, PROV_R_UNABLE_TO_LOCK_PARENT
);
120 if (!drbg
->parent_get_ctx_params(parent
, params
))
122 ossl_drbg_unlock_parent(drbg
);
126 r
= tsan_load(&drbg
->reseed_counter
) - 2;
133 * Implements the get_entropy() callback
135 * If the DRBG has a parent, then the required amount of entropy input
136 * is fetched using the parent's ossl_prov_drbg_generate().
138 * Otherwise, the entropy is polled from the system entropy sources
139 * using ossl_pool_acquire_entropy().
141 * If a random pool has been added to the DRBG using RAND_add(), then
142 * its entropy will be used up first.
144 size_t ossl_drbg_get_seed(void *vdrbg
, unsigned char **pout
,
145 int entropy
, size_t min_len
,
146 size_t max_len
, int prediction_resistance
,
147 const unsigned char *adin
, size_t adin_len
)
149 PROV_DRBG
*drbg
= (PROV_DRBG
*)vdrbg
;
151 unsigned char *buffer
;
153 /* Figure out how many bytes we need */
154 bytes_needed
= entropy
>= 0 ? (entropy
+ 7) / 8 : 0;
155 if (bytes_needed
< min_len
)
156 bytes_needed
= min_len
;
157 if (bytes_needed
> max_len
)
158 bytes_needed
= max_len
;
160 /* Allocate storage */
161 buffer
= OPENSSL_secure_malloc(bytes_needed
);
162 if (buffer
== NULL
) {
163 ERR_raise(ERR_LIB_PROV
, ERR_R_MALLOC_FAILURE
);
168 * Get random data. Include our DRBG address as
169 * additional input, in order to provide a distinction between
170 * different DRBG child instances.
172 * Note: using the sizeof() operator on a pointer triggers
173 * a warning in some static code analyzers, but it's
174 * intentional and correct here.
176 if (!ossl_prov_drbg_generate(drbg
, buffer
, bytes_needed
,
177 drbg
->strength
, prediction_resistance
,
178 (unsigned char *)&drbg
, sizeof(drbg
))) {
179 OPENSSL_secure_clear_free(buffer
, bytes_needed
);
180 ERR_raise(ERR_LIB_PROV
, PROV_R_GENERATE_ERROR
);
187 /* Implements the cleanup_entropy() callback */
188 void ossl_drbg_clear_seed(ossl_unused
void *vdrbg
,
189 unsigned char *out
, size_t outlen
)
191 OPENSSL_secure_clear_free(out
, outlen
);
194 static size_t get_entropy(PROV_DRBG
*drbg
, unsigned char **pout
, int entropy
,
195 size_t min_len
, size_t max_len
,
196 int prediction_resistance
)
201 if (drbg
->parent
== NULL
)
203 return ossl_crngt_get_entropy(drbg
, pout
, entropy
, min_len
, max_len
,
204 prediction_resistance
);
206 return ossl_prov_get_entropy(drbg
->provctx
, pout
, entropy
, min_len
,
210 if (drbg
->parent_get_seed
== NULL
) {
211 ERR_raise(ERR_LIB_PROV
, PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED
);
214 if (!get_parent_strength(drbg
, &p_str
))
216 if (drbg
->strength
> p_str
) {
218 * We currently don't support the algorithm from NIST SP 800-90C
219 * 10.1.2 to use a weaker DRBG as source
221 ERR_raise(ERR_LIB_PROV
, PROV_R_PARENT_STRENGTH_TOO_WEAK
);
226 * Our lock is already held, but we need to lock our parent before
227 * generating bits from it. Note: taking the lock will be a no-op
228 * if locking is not required (while drbg->parent->lock == NULL).
230 if (!ossl_drbg_lock_parent(drbg
))
233 * Get random data from parent. Include our DRBG address as
234 * additional input, in order to provide a distinction between
235 * different DRBG child instances.
237 * Note: using the sizeof() operator on a pointer triggers
238 * a warning in some static code analyzers, but it's
239 * intentional and correct here.
241 bytes
= drbg
->parent_get_seed(drbg
->parent
, pout
, drbg
->strength
,
242 min_len
, max_len
, prediction_resistance
,
243 (unsigned char *)&drbg
, sizeof(drbg
));
244 ossl_drbg_unlock_parent(drbg
);
248 static void cleanup_entropy(PROV_DRBG
*drbg
, unsigned char *out
, size_t outlen
)
250 if (drbg
->parent
== NULL
) {
252 ossl_crngt_cleanup_entropy(drbg
, out
, outlen
);
254 ossl_prov_cleanup_entropy(drbg
->provctx
, out
, outlen
);
256 } else if (drbg
->parent_clear_seed
!= NULL
) {
257 if (!ossl_drbg_lock_parent(drbg
))
259 drbg
->parent_clear_seed(drbg
, out
, outlen
);
260 ossl_drbg_unlock_parent(drbg
);
264 #ifndef PROV_RAND_GET_RANDOM_NONCE
265 typedef struct prov_drbg_nonce_global_st
{
266 CRYPTO_RWLOCK
*rand_nonce_lock
;
267 int rand_nonce_count
;
268 } PROV_DRBG_NONCE_GLOBAL
;
271 * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce()
272 * which needs to get the rand_nonce_lock out of the OSSL_LIB_CTX...but since
273 * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock
274 * to be in a different global data object. Otherwise we will go into an
275 * infinite recursion loop.
277 static void *prov_drbg_nonce_ossl_ctx_new(OSSL_LIB_CTX
*libctx
)
279 PROV_DRBG_NONCE_GLOBAL
*dngbl
= OPENSSL_zalloc(sizeof(*dngbl
));
284 dngbl
->rand_nonce_lock
= CRYPTO_THREAD_lock_new();
285 if (dngbl
->rand_nonce_lock
== NULL
) {
293 static void prov_drbg_nonce_ossl_ctx_free(void *vdngbl
)
295 PROV_DRBG_NONCE_GLOBAL
*dngbl
= vdngbl
;
300 CRYPTO_THREAD_lock_free(dngbl
->rand_nonce_lock
);
305 static const OSSL_LIB_CTX_METHOD drbg_nonce_ossl_ctx_method
= {
306 prov_drbg_nonce_ossl_ctx_new
,
307 prov_drbg_nonce_ossl_ctx_free
,
310 /* Get a nonce from the operating system */
311 static size_t prov_drbg_get_nonce(PROV_DRBG
*drbg
, unsigned char **pout
,
312 size_t min_len
, size_t max_len
)
315 unsigned char *buf
= NULL
;
316 OSSL_LIB_CTX
*libctx
= ossl_prov_ctx_get0_libctx(drbg
->provctx
);
317 PROV_DRBG_NONCE_GLOBAL
*dngbl
318 = ossl_lib_ctx_get_data(libctx
, OSSL_LIB_CTX_DRBG_NONCE_INDEX
,
319 &drbg_nonce_ossl_ctx_method
);
328 if (drbg
->parent
!= NULL
&& drbg
->parent_nonce
!= NULL
) {
329 n
= drbg
->parent_nonce(drbg
->parent
, NULL
, 0, drbg
->min_noncelen
,
331 if (n
> 0 && (buf
= OPENSSL_malloc(n
)) != NULL
) {
332 ret
= drbg
->parent_nonce(drbg
->parent
, buf
, 0,
333 drbg
->min_noncelen
, drbg
->max_noncelen
);
342 /* Use the built in nonce source plus some of our specifics */
343 memset(&data
, 0, sizeof(data
));
345 CRYPTO_atomic_add(&dngbl
->rand_nonce_count
, 1, &data
.count
,
346 dngbl
->rand_nonce_lock
);
347 return ossl_prov_get_nonce(drbg
->provctx
, pout
, min_len
, max_len
,
348 &data
, sizeof(data
));
350 #endif /* PROV_RAND_GET_RANDOM_NONCE */
353 * Instantiate |drbg|, after it has been initialized. Use |pers| and
354 * |perslen| as prediction-resistance input.
356 * Requires that drbg->lock is already locked for write, if non-null.
358 * Returns 1 on success, 0 on failure.
360 int ossl_prov_drbg_instantiate(PROV_DRBG
*drbg
, unsigned int strength
,
361 int prediction_resistance
,
362 const unsigned char *pers
, size_t perslen
)
364 unsigned char *nonce
= NULL
, *entropy
= NULL
;
365 size_t noncelen
= 0, entropylen
= 0;
366 size_t min_entropy
, min_entropylen
, max_entropylen
;
368 if (!ossl_prov_is_running())
371 if (strength
> drbg
->strength
) {
372 ERR_raise(ERR_LIB_PROV
, PROV_R_INSUFFICIENT_DRBG_STRENGTH
);
375 min_entropy
= drbg
->strength
;
376 min_entropylen
= drbg
->min_entropylen
;
377 max_entropylen
= drbg
->max_entropylen
;
380 pers
= (const unsigned char *)ossl_pers_string
;
381 perslen
= sizeof(ossl_pers_string
);
383 if (perslen
> drbg
->max_perslen
) {
384 ERR_raise(ERR_LIB_PROV
, PROV_R_PERSONALISATION_STRING_TOO_LONG
);
388 if (drbg
->state
!= EVP_RAND_STATE_UNINITIALISED
) {
389 if (drbg
->state
== EVP_RAND_STATE_ERROR
)
390 ERR_raise(ERR_LIB_PROV
, PROV_R_IN_ERROR_STATE
);
392 ERR_raise(ERR_LIB_PROV
, PROV_R_ALREADY_INSTANTIATED
);
396 drbg
->state
= EVP_RAND_STATE_ERROR
;
398 if (drbg
->min_noncelen
> 0) {
399 if (drbg
->parent_nonce
!= NULL
) {
400 noncelen
= drbg
->parent_nonce(drbg
->parent
, NULL
, drbg
->strength
,
404 ERR_raise(ERR_LIB_PROV
, PROV_R_ERROR_RETRIEVING_NONCE
);
407 nonce
= OPENSSL_malloc(noncelen
);
409 ERR_raise(ERR_LIB_PROV
, PROV_R_ERROR_RETRIEVING_NONCE
);
412 if (noncelen
!= drbg
->parent_nonce(drbg
->parent
, nonce
,
415 drbg
->max_noncelen
)) {
416 ERR_raise(ERR_LIB_PROV
, PROV_R_ERROR_RETRIEVING_NONCE
);
419 #ifndef PROV_RAND_GET_RANDOM_NONCE
420 } else if (drbg
->parent
!= NULL
) {
423 * NIST SP800-90Ar1 section 9.1 says you can combine getting
424 * the entropy and nonce in 1 call by increasing the entropy
425 * with 50% and increasing the minimum length to accommodate
426 * the length of the nonce. We do this in case a nonce is
427 * required and there is no parental nonce capability.
429 min_entropy
+= drbg
->strength
/ 2;
430 min_entropylen
+= drbg
->min_noncelen
;
431 max_entropylen
+= drbg
->max_noncelen
;
433 #ifndef PROV_RAND_GET_RANDOM_NONCE
434 else { /* parent == NULL */
435 noncelen
= prov_drbg_get_nonce(drbg
, &nonce
, drbg
->min_noncelen
,
437 if (noncelen
< drbg
->min_noncelen
438 || noncelen
> drbg
->max_noncelen
) {
439 ERR_raise(ERR_LIB_PROV
, PROV_R_ERROR_RETRIEVING_NONCE
);
446 drbg
->reseed_next_counter
= tsan_load(&drbg
->reseed_counter
);
447 if (drbg
->reseed_next_counter
) {
448 drbg
->reseed_next_counter
++;
449 if (!drbg
->reseed_next_counter
)
450 drbg
->reseed_next_counter
= 1;
453 entropylen
= get_entropy(drbg
, &entropy
, min_entropy
,
454 min_entropylen
, max_entropylen
,
455 prediction_resistance
);
456 if (entropylen
< min_entropylen
457 || entropylen
> max_entropylen
) {
458 ERR_raise(ERR_LIB_PROV
, PROV_R_ERROR_RETRIEVING_ENTROPY
);
462 if (!drbg
->instantiate(drbg
, entropy
, entropylen
, nonce
, noncelen
,
464 ERR_raise(ERR_LIB_PROV
, PROV_R_ERROR_INSTANTIATING_DRBG
);
468 drbg
->state
= EVP_RAND_STATE_READY
;
469 drbg
->generate_counter
= 1;
470 drbg
->reseed_time
= time(NULL
);
471 tsan_store(&drbg
->reseed_counter
, drbg
->reseed_next_counter
);
475 cleanup_entropy(drbg
, entropy
, entropylen
);
477 ossl_prov_cleanup_nonce(drbg
->provctx
, nonce
, noncelen
);
478 if (drbg
->state
== EVP_RAND_STATE_READY
)
484 * Uninstantiate |drbg|. Must be instantiated before it can be used.
486 * Requires that drbg->lock is already locked for write, if non-null.
488 * Returns 1 on success, 0 on failure.
490 int ossl_prov_drbg_uninstantiate(PROV_DRBG
*drbg
)
492 drbg
->state
= EVP_RAND_STATE_UNINITIALISED
;
497 * Reseed |drbg|, mixing in the specified data
499 * Requires that drbg->lock is already locked for write, if non-null.
501 * Returns 1 on success, 0 on failure.
503 int ossl_prov_drbg_reseed(PROV_DRBG
*drbg
, int prediction_resistance
,
504 const unsigned char *ent
, size_t ent_len
,
505 const unsigned char *adin
, size_t adinlen
)
507 unsigned char *entropy
= NULL
;
508 size_t entropylen
= 0;
510 if (!ossl_prov_is_running())
513 if (drbg
->state
!= EVP_RAND_STATE_READY
) {
514 /* try to recover from previous errors */
515 rand_drbg_restart(drbg
);
517 if (drbg
->state
== EVP_RAND_STATE_ERROR
) {
518 ERR_raise(ERR_LIB_PROV
, PROV_R_IN_ERROR_STATE
);
521 if (drbg
->state
== EVP_RAND_STATE_UNINITIALISED
) {
522 ERR_raise(ERR_LIB_PROV
, PROV_R_NOT_INSTANTIATED
);
528 if (ent_len
< drbg
->min_entropylen
) {
529 ERR_raise(ERR_LIB_RAND
, RAND_R_ENTROPY_OUT_OF_RANGE
);
530 drbg
->state
= EVP_RAND_STATE_ERROR
;
533 if (ent_len
> drbg
->max_entropylen
) {
534 ERR_raise(ERR_LIB_RAND
, RAND_R_ENTROPY_INPUT_TOO_LONG
);
535 drbg
->state
= EVP_RAND_STATE_ERROR
;
542 } else if (adinlen
> drbg
->max_adinlen
) {
543 ERR_raise(ERR_LIB_PROV
, PROV_R_ADDITIONAL_INPUT_TOO_LONG
);
547 drbg
->state
= EVP_RAND_STATE_ERROR
;
549 drbg
->reseed_next_counter
= tsan_load(&drbg
->reseed_counter
);
550 if (drbg
->reseed_next_counter
) {
551 drbg
->reseed_next_counter
++;
552 if (!drbg
->reseed_next_counter
)
553 drbg
->reseed_next_counter
= 1;
559 * NIST SP-800-90A mandates that entropy *shall not* be provided
560 * by the consuming application. Instead the data is added as additional
563 * (NIST SP-800-90Ar1, Sections 9.1 and 9.2)
565 if (!drbg
->reseed(drbg
, NULL
, 0, ent
, ent_len
)) {
566 ERR_raise(ERR_LIB_PROV
, PROV_R_UNABLE_TO_RESEED
);
570 if (!drbg
->reseed(drbg
, ent
, ent_len
, adin
, adinlen
)) {
571 ERR_raise(ERR_LIB_PROV
, PROV_R_UNABLE_TO_RESEED
);
574 /* There isn't much point adding the same additional input twice */
580 /* Reseed using our sources in addition */
581 entropylen
= get_entropy(drbg
, &entropy
, drbg
->strength
,
582 drbg
->min_entropylen
, drbg
->max_entropylen
,
583 prediction_resistance
);
584 if (entropylen
< drbg
->min_entropylen
585 || entropylen
> drbg
->max_entropylen
) {
586 ERR_raise(ERR_LIB_PROV
, PROV_R_ERROR_RETRIEVING_ENTROPY
);
590 if (!drbg
->reseed(drbg
, entropy
, entropylen
, adin
, adinlen
))
593 drbg
->state
= EVP_RAND_STATE_READY
;
594 drbg
->generate_counter
= 1;
595 drbg
->reseed_time
= time(NULL
);
596 tsan_store(&drbg
->reseed_counter
, drbg
->reseed_next_counter
);
597 if (drbg
->parent
!= NULL
)
598 drbg
->parent_reseed_counter
= get_parent_reseed_count(drbg
);
601 cleanup_entropy(drbg
, entropy
, entropylen
);
602 if (drbg
->state
== EVP_RAND_STATE_READY
)
608 * Generate |outlen| bytes into the buffer at |out|. Reseed if we need
609 * to or if |prediction_resistance| is set. Additional input can be
610 * sent in |adin| and |adinlen|.
612 * Requires that drbg->lock is already locked for write, if non-null.
614 * Returns 1 on success, 0 on failure.
617 int ossl_prov_drbg_generate(PROV_DRBG
*drbg
, unsigned char *out
, size_t outlen
,
618 unsigned int strength
, int prediction_resistance
,
619 const unsigned char *adin
, size_t adinlen
)
622 int reseed_required
= 0;
624 if (!ossl_prov_is_running())
627 if (drbg
->state
!= EVP_RAND_STATE_READY
) {
628 /* try to recover from previous errors */
629 rand_drbg_restart(drbg
);
631 if (drbg
->state
== EVP_RAND_STATE_ERROR
) {
632 ERR_raise(ERR_LIB_PROV
, PROV_R_IN_ERROR_STATE
);
635 if (drbg
->state
== EVP_RAND_STATE_UNINITIALISED
) {
636 ERR_raise(ERR_LIB_PROV
, PROV_R_NOT_INSTANTIATED
);
640 if (strength
> drbg
->strength
) {
641 ERR_raise(ERR_LIB_PROV
, PROV_R_INSUFFICIENT_DRBG_STRENGTH
);
645 if (outlen
> drbg
->max_request
) {
646 ERR_raise(ERR_LIB_PROV
, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG
);
649 if (adinlen
> drbg
->max_adinlen
) {
650 ERR_raise(ERR_LIB_PROV
, PROV_R_ADDITIONAL_INPUT_TOO_LONG
);
654 fork_id
= openssl_get_fork_id();
656 if (drbg
->fork_id
!= fork_id
) {
657 drbg
->fork_id
= fork_id
;
661 if (drbg
->reseed_interval
> 0) {
662 if (drbg
->generate_counter
>= drbg
->reseed_interval
)
665 if (drbg
->reseed_time_interval
> 0) {
666 time_t now
= time(NULL
);
667 if (now
< drbg
->reseed_time
668 || now
- drbg
->reseed_time
>= drbg
->reseed_time_interval
)
671 if (drbg
->parent
!= NULL
672 && get_parent_reseed_count(drbg
) != drbg
->parent_reseed_counter
)
675 if (reseed_required
|| prediction_resistance
) {
676 if (!ossl_prov_drbg_reseed(drbg
, prediction_resistance
, NULL
, 0,
678 ERR_raise(ERR_LIB_PROV
, PROV_R_RESEED_ERROR
);
685 if (!drbg
->generate(drbg
, out
, outlen
, adin
, adinlen
)) {
686 drbg
->state
= EVP_RAND_STATE_ERROR
;
687 ERR_raise(ERR_LIB_PROV
, PROV_R_GENERATE_ERROR
);
691 drbg
->generate_counter
++;
697 * Restart |drbg|, using the specified entropy or additional input
699 * Tries its best to get the drbg instantiated by all means,
700 * regardless of its current state.
702 * Optionally, a |buffer| of |len| random bytes can be passed,
703 * which is assumed to contain at least |entropy| bits of entropy.
705 * If |entropy| > 0, the buffer content is used as entropy input.
707 * If |entropy| == 0, the buffer content is used as additional input
709 * Returns 1 on success, 0 on failure.
711 * This function is used internally only.
713 static int rand_drbg_restart(PROV_DRBG
*drbg
)
715 /* repair error state */
716 if (drbg
->state
== EVP_RAND_STATE_ERROR
)
717 drbg
->uninstantiate(drbg
);
719 /* repair uninitialized state */
720 if (drbg
->state
== EVP_RAND_STATE_UNINITIALISED
)
721 /* reinstantiate drbg */
722 ossl_prov_drbg_instantiate(drbg
, drbg
->strength
, 0, NULL
, 0);
724 return drbg
->state
== EVP_RAND_STATE_READY
;
727 /* Provider support from here down */
728 static const OSSL_DISPATCH
*find_call(const OSSL_DISPATCH
*dispatch
,
731 if (dispatch
!= NULL
)
732 while (dispatch
->function_id
!= 0) {
733 if (dispatch
->function_id
== function
)
740 int ossl_drbg_enable_locking(void *vctx
)
742 PROV_DRBG
*drbg
= vctx
;
744 if (drbg
!= NULL
&& drbg
->lock
== NULL
) {
745 if (drbg
->parent_enable_locking
!= NULL
)
746 if (!drbg
->parent_enable_locking(drbg
->parent
)) {
747 ERR_raise(ERR_LIB_PROV
, PROV_R_PARENT_LOCKING_NOT_ENABLED
);
750 drbg
->lock
= CRYPTO_THREAD_lock_new();
751 if (drbg
->lock
== NULL
) {
752 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_CREATE_LOCK
);
760 * Allocate memory and initialize a new DRBG. The DRBG is allocated on
761 * the secure heap if |secure| is nonzero and the secure heap is enabled.
762 * The |parent|, if not NULL, will be used as random source for reseeding.
763 * This also requires the parent's provider context and the parent's lock.
765 * Returns a pointer to the new DRBG instance on success, NULL on failure.
767 PROV_DRBG
*ossl_rand_drbg_new
768 (void *provctx
, void *parent
, const OSSL_DISPATCH
*p_dispatch
,
769 int (*dnew
)(PROV_DRBG
*ctx
),
770 int (*instantiate
)(PROV_DRBG
*drbg
,
771 const unsigned char *entropy
, size_t entropylen
,
772 const unsigned char *nonce
, size_t noncelen
,
773 const unsigned char *pers
, size_t perslen
),
774 int (*uninstantiate
)(PROV_DRBG
*ctx
),
775 int (*reseed
)(PROV_DRBG
*drbg
, const unsigned char *ent
, size_t ent_len
,
776 const unsigned char *adin
, size_t adin_len
),
777 int (*generate
)(PROV_DRBG
*, unsigned char *out
, size_t outlen
,
778 const unsigned char *adin
, size_t adin_len
))
782 const OSSL_DISPATCH
*pfunc
;
784 if (!ossl_prov_is_running())
787 drbg
= OPENSSL_zalloc(sizeof(*drbg
));
789 ERR_raise(ERR_LIB_PROV
, ERR_R_MALLOC_FAILURE
);
793 drbg
->provctx
= provctx
;
794 drbg
->instantiate
= instantiate
;
795 drbg
->uninstantiate
= uninstantiate
;
796 drbg
->reseed
= reseed
;
797 drbg
->generate
= generate
;
798 drbg
->fork_id
= openssl_get_fork_id();
800 /* Extract parent's functions */
801 drbg
->parent
= parent
;
802 if ((pfunc
= find_call(p_dispatch
, OSSL_FUNC_RAND_ENABLE_LOCKING
)) != NULL
)
803 drbg
->parent_enable_locking
= OSSL_FUNC_rand_enable_locking(pfunc
);
804 if ((pfunc
= find_call(p_dispatch
, OSSL_FUNC_RAND_LOCK
)) != NULL
)
805 drbg
->parent_lock
= OSSL_FUNC_rand_lock(pfunc
);
806 if ((pfunc
= find_call(p_dispatch
, OSSL_FUNC_RAND_UNLOCK
)) != NULL
)
807 drbg
->parent_unlock
= OSSL_FUNC_rand_unlock(pfunc
);
808 if ((pfunc
= find_call(p_dispatch
, OSSL_FUNC_RAND_GET_CTX_PARAMS
)) != NULL
)
809 drbg
->parent_get_ctx_params
= OSSL_FUNC_rand_get_ctx_params(pfunc
);
810 if ((pfunc
= find_call(p_dispatch
, OSSL_FUNC_RAND_NONCE
)) != NULL
)
811 drbg
->parent_nonce
= OSSL_FUNC_rand_nonce(pfunc
);
812 if ((pfunc
= find_call(p_dispatch
, OSSL_FUNC_RAND_GET_SEED
)) != NULL
)
813 drbg
->parent_get_seed
= OSSL_FUNC_rand_get_seed(pfunc
);
814 if ((pfunc
= find_call(p_dispatch
, OSSL_FUNC_RAND_CLEAR_SEED
)) != NULL
)
815 drbg
->parent_clear_seed
= OSSL_FUNC_rand_clear_seed(pfunc
);
817 /* Set some default maximums up */
818 drbg
->max_entropylen
= DRBG_MAX_LENGTH
;
819 drbg
->max_noncelen
= DRBG_MAX_LENGTH
;
820 drbg
->max_perslen
= DRBG_MAX_LENGTH
;
821 drbg
->max_adinlen
= DRBG_MAX_LENGTH
;
822 drbg
->generate_counter
= 1;
823 drbg
->reseed_counter
= 1;
824 drbg
->reseed_interval
= RESEED_INTERVAL
;
825 drbg
->reseed_time_interval
= TIME_INTERVAL
;
830 if (parent
!= NULL
) {
831 if (!get_parent_strength(drbg
, &p_str
))
833 if (drbg
->strength
> p_str
) {
835 * We currently don't support the algorithm from NIST SP 800-90C
836 * 10.1.2 to use a weaker DRBG as source
838 ERR_raise(ERR_LIB_PROV
, PROV_R_PARENT_STRENGTH_TOO_WEAK
);
845 ossl_rand_drbg_free(drbg
);
849 void ossl_rand_drbg_free(PROV_DRBG
*drbg
)
854 CRYPTO_THREAD_lock_free(drbg
->lock
);
858 int ossl_drbg_get_ctx_params(PROV_DRBG
*drbg
, OSSL_PARAM params
[])
862 p
= OSSL_PARAM_locate(params
, OSSL_RAND_PARAM_STATE
);
863 if (p
!= NULL
&& !OSSL_PARAM_set_int(p
, drbg
->state
))
866 p
= OSSL_PARAM_locate(params
, OSSL_RAND_PARAM_STRENGTH
);
867 if (p
!= NULL
&& !OSSL_PARAM_set_int(p
, drbg
->strength
))
870 p
= OSSL_PARAM_locate(params
, OSSL_RAND_PARAM_MAX_REQUEST
);
871 if (p
!= NULL
&& !OSSL_PARAM_set_size_t(p
, drbg
->max_request
))
874 p
= OSSL_PARAM_locate(params
, OSSL_DRBG_PARAM_MIN_ENTROPYLEN
);
875 if (p
!= NULL
&& !OSSL_PARAM_set_size_t(p
, drbg
->min_entropylen
))
878 p
= OSSL_PARAM_locate(params
, OSSL_DRBG_PARAM_MAX_ENTROPYLEN
);
879 if (p
!= NULL
&& !OSSL_PARAM_set_size_t(p
, drbg
->max_entropylen
))
882 p
= OSSL_PARAM_locate(params
, OSSL_DRBG_PARAM_MIN_NONCELEN
);
883 if (p
!= NULL
&& !OSSL_PARAM_set_size_t(p
, drbg
->min_noncelen
))
886 p
= OSSL_PARAM_locate(params
, OSSL_DRBG_PARAM_MAX_NONCELEN
);
887 if (p
!= NULL
&& !OSSL_PARAM_set_size_t(p
, drbg
->max_noncelen
))
890 p
= OSSL_PARAM_locate(params
, OSSL_DRBG_PARAM_MAX_PERSLEN
);
891 if (p
!= NULL
&& !OSSL_PARAM_set_size_t(p
, drbg
->max_perslen
))
894 p
= OSSL_PARAM_locate(params
, OSSL_DRBG_PARAM_MAX_ADINLEN
);
895 if (p
!= NULL
&& !OSSL_PARAM_set_size_t(p
, drbg
->max_adinlen
))
898 p
= OSSL_PARAM_locate(params
, OSSL_DRBG_PARAM_RESEED_REQUESTS
);
899 if (p
!= NULL
&& !OSSL_PARAM_set_uint(p
, drbg
->reseed_interval
))
902 p
= OSSL_PARAM_locate(params
, OSSL_DRBG_PARAM_RESEED_TIME
);
903 if (p
!= NULL
&& !OSSL_PARAM_set_time_t(p
, drbg
->reseed_time
))
906 p
= OSSL_PARAM_locate(params
, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL
);
907 if (p
!= NULL
&& !OSSL_PARAM_set_time_t(p
, drbg
->reseed_time_interval
))
910 p
= OSSL_PARAM_locate(params
, OSSL_DRBG_PARAM_RESEED_COUNTER
);
912 && !OSSL_PARAM_set_uint(p
, tsan_load(&drbg
->reseed_counter
)))
917 int ossl_drbg_set_ctx_params(PROV_DRBG
*drbg
, const OSSL_PARAM params
[])
921 p
= OSSL_PARAM_locate_const(params
, OSSL_DRBG_PARAM_RESEED_REQUESTS
);
922 if (p
!= NULL
&& !OSSL_PARAM_get_uint(p
, &drbg
->reseed_interval
))
925 p
= OSSL_PARAM_locate_const(params
, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL
);
926 if (p
!= NULL
&& !OSSL_PARAM_get_time_t(p
, &drbg
->reseed_time_interval
))