[thirdparty/openssl.git] / doc / man3 / RAND_DRBG_set_callbacks.pod

=pod

=head1 NAME

RAND_DRBG_set_callbacks,
RAND_DRBG_set_callback_data,
RAND_DRBG_get_callback_data,
RAND_DRBG_get_entropy_fn,
RAND_DRBG_cleanup_entropy_fn,
RAND_DRBG_get_nonce_fn,
RAND_DRBG_cleanup_nonce_fn
- set callbacks for reseeding

=head1 SYNOPSIS

 #include <openssl/rand_drbg.h>


 int RAND_DRBG_set_callbacks(RAND_DRBG *drbg,
                             RAND_DRBG_get_entropy_fn get_entropy,
                             RAND_DRBG_cleanup_entropy_fn cleanup_entropy,
                             RAND_DRBG_get_nonce_fn get_nonce,
                             RAND_DRBG_cleanup_nonce_fn cleanup_nonce);

 int RAND_DRBG_set_callback_data(RAND_DRBG *drbg, void *ctx);

 void *RAND_DRBG_get_callback_data(RAND_DRBG *drbg);

=head2 Callback Functions

 typedef size_t (*RAND_DRBG_get_entropy_fn)(
                       RAND_DRBG *drbg,
                       unsigned char **pout,
                       int entropy,
                       size_t min_len, size_t max_len,
                       int prediction_resistance);

 typedef void (*RAND_DRBG_cleanup_entropy_fn)(
                     RAND_DRBG *drbg,
                     unsigned char *out, size_t outlen);

 typedef size_t (*RAND_DRBG_get_nonce_fn)(
                       RAND_DRBG *drbg,
                       unsigned char **pout,
                       int entropy,
                       size_t min_len, size_t max_len);

 typedef void (*RAND_DRBG_cleanup_nonce_fn)(
                     RAND_DRBG *drbg,
                     unsigned char *out, size_t outlen);


=head1 DESCRIPTION

RAND_DRBG_set_callbacks() sets the callbacks for obtaining fresh entropy and
the nonce when reseeding the given B<drbg>.
The callback functions are implemented and provided by the caller.
Their parameter lists need to match the function prototypes above.

RAND_DRBG_set_callback_data() can be used to store a pointer to some context
specific data, which can subsequently be retrieved by the entropy and nonce
callbacks using RAND_DRBG_get_callback_data().
The ownership of the context data remains with the caller, i.e., it is the
caller's responsibility to keep it available as long as it is needed by the
callbacks and free it after use.
For more information about the callback data see the NOTES section.

Setting the callbacks or the callback data is allowed only if the DRBG has
not been initialized yet.
Otherwise, the operation will fail.
To change the settings for one of the three shared DRBGs it is necessary to call
RAND_DRBG_uninstantiate() first.

The B<get_entropy>() callback is called by the B<drbg> when it requests fresh
random input.
It is expected that the callback allocates and fills a random buffer of size
B<min_len> <= size <= B<max_len> (in bytes) which contains at least B<entropy>
bits of randomness.
The B<prediction_resistance> flag indicates whether the reseeding was
triggered by a prediction resistance request.

The buffer's address is to be returned in *B<pout> and the number of collected
randomness bytes as return value.

If the callback fails to acquire at least B<entropy> bits of randomness,
it must indicate an error by returning a buffer length of 0.

If B<prediction_resistance> was requested and the random source of the DRBG
does not satisfy the conditions requested by [NIST SP 800-90C], then
it must also indicate an error by returning a buffer length of 0.
See NOTES section for more details.

The B<cleanup_entropy>() callback is called from the B<drbg> to clear and
free the buffer allocated previously by get_entropy().
The values B<out> and B<outlen> are the random buffer's address and length,
as returned by the get_entropy() callback.

The B<get_nonce>() and B<cleanup_nonce>() callbacks are used to obtain a nonce
and free it again. A nonce is only required for instantiation (not for reseeding)
and only in the case where the DRBG uses a derivation function.
The callbacks are analogous to get_entropy() and cleanup_entropy(),
except for the missing prediction_resistance flag.

If the derivation function is disabled, then no nonce is used for instantiation,
and the B<get_nonce>() and B<cleanup_nonce>() callbacks can be omitted by
setting them to NULL.


=head1 RETURN VALUES

RAND_DRBG_set_callbacks() returns 1 on success, and 0 on failure.

RAND_DRBG_set_callback_data() returns 1 on success, and 0 on failure.

RAND_DRBG_get_callback_data() returns the pointer to the callback data,
which is NULL if none has been set previously.

=head1 NOTES

It is important that B<cleanup_entropy>() and B<cleanup_nonce>() clear the buffer
contents safely before freeing it, in order not to leave sensitive information
about the DRBG's state in memory.

A request for prediction resistance can only be satisfied by pulling fresh
entropy from a live entropy source (section 5.5.2 of [NIST SP 800-90C]).
It is up to the user to ensure that a live entropy source is configured
and is being used.

The derivation function is disabled by calling the RAND_DRBG_new_ex()
function with the RAND_DRBG_FLAG_CTR_NO_DF flag.  For more information on
the derivation function and when it can be omitted, see [NIST SP 800-90A
Rev. 1]. Roughly speaking it can be omitted if the random source has "full
entropy", that is, it contains 8 bits of entropy per byte. In a FIPS context,
the derivation function can never be omitted.

Even if a nonce is required, the B<get_nonce>() and B<cleanup_nonce>()
callbacks can be omitted by setting them to NULL.
In this case the DRBG will automatically request an extra amount of entropy
(using the B<get_entropy>() and B<cleanup_entropy>() callbacks) which it will
utilize for the nonce, following the recommendations of [NIST SP 800-90A Rev. 1],
section 8.6.7.

The callback data is a rather specialized feature, because in general the
random sources don't (and in fact, they must not) depend on any state provided
by the DRBG.
There are however exceptional cases where this feature is useful, most notably
for implementing known answer tests (KATs) or deterministic signatures like
those specified in RFC6979, which require passing a specified entropy and nonce
for instantiating the DRBG.

=head1 SEE ALSO

L<RAND_DRBG_new(3)>,
L<RAND_DRBG_reseed(3)>,
L<RAND_DRBG(7)>

=head1 HISTORY

The RAND_DRBG functions were added in OpenSSL 1.1.1.

=head1 COPYRIGHT

Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
a73d990e DMSP	1	=pod
	2
	3	=head1 NAME
	4
	5	RAND_DRBG_set_callbacks,
30a9d5d1 DMSP	6	RAND_DRBG_set_callback_data,
30a9d5d1 DMSP	7	RAND_DRBG_get_callback_data,
a73d990e DMSP	8	RAND_DRBG_get_entropy_fn,
	9	RAND_DRBG_cleanup_entropy_fn,
	10	RAND_DRBG_get_nonce_fn,
	11	RAND_DRBG_cleanup_nonce_fn
	12	- set callbacks for reseeding
	13
	14	=head1 SYNOPSIS
	15
	16	#include <openssl/rand_drbg.h>
	17
	18
	19	int RAND_DRBG_set_callbacks(RAND_DRBG *drbg,
	20	RAND_DRBG_get_entropy_fn get_entropy,
	21	RAND_DRBG_cleanup_entropy_fn cleanup_entropy,
	22	RAND_DRBG_get_nonce_fn get_nonce,
	23	RAND_DRBG_cleanup_nonce_fn cleanup_nonce);
	24
30a9d5d1 DMSP	25	int RAND_DRBG_set_callback_data(RAND_DRBG drbg, void ctx);
	26
	27	void RAND_DRBG_get_callback_data(RAND_DRBG drbg);
a73d990e DMSP	28
	29	=head2 Callback Functions
	30
	31	typedef size_t (*RAND_DRBG_get_entropy_fn)(
	32	RAND_DRBG *drbg,
	33	unsigned char **pout,
	34	int entropy,
	35	size_t min_len, size_t max_len,
	36	int prediction_resistance);
	37
	38	typedef void (*RAND_DRBG_cleanup_entropy_fn)(
	39	RAND_DRBG *drbg,
	40	unsigned char *out, size_t outlen);
	41
	42	typedef size_t (*RAND_DRBG_get_nonce_fn)(
	43	RAND_DRBG *drbg,
	44	unsigned char **pout,
	45	int entropy,
	46	size_t min_len, size_t max_len);
	47
	48	typedef void (*RAND_DRBG_cleanup_nonce_fn)(
	49	RAND_DRBG *drbg,
	50	unsigned char *out, size_t outlen);
	51
	52
	53
	54	=head1 DESCRIPTION
	55
	56	RAND_DRBG_set_callbacks() sets the callbacks for obtaining fresh entropy and
	57	the nonce when reseeding the given B<drbg>.
	58	The callback functions are implemented and provided by the caller.
	59	Their parameter lists need to match the function prototypes above.
	60
30a9d5d1 DMSP	61	RAND_DRBG_set_callback_data() can be used to store a pointer to some context
	62	specific data, which can subsequently be retrieved by the entropy and nonce
	63	callbacks using RAND_DRBG_get_callback_data().
	64	The ownership of the context data remains with the caller, i.e., it is the
09066cf2	65	caller's responsibility to keep it available as long as it is needed by the
30a9d5d1	66	callbacks and free it after use.
8c1cbc72	67	For more information about the callback data see the NOTES section.
30a9d5d1 DMSP	68
	69	Setting the callbacks or the callback data is allowed only if the DRBG has
	70	not been initialized yet.
a73d990e DMSP	71	Otherwise, the operation will fail.
	72	To change the settings for one of the three shared DRBGs it is necessary to call
	73	RAND_DRBG_uninstantiate() first.
	74
	75	The B<get_entropy>() callback is called by the B<drbg> when it requests fresh
	76	random input.
	77	It is expected that the callback allocates and fills a random buffer of size
	78	B<min_len> <= size <= B<max_len> (in bytes) which contains at least B<entropy>
	79	bits of randomness.
	80	The B<prediction_resistance> flag indicates whether the reseeding was
	81	triggered by a prediction resistance request.
	82
	83	The buffer's address is to be returned in *B<pout> and the number of collected
	84	randomness bytes as return value.
	85
	86	If the callback fails to acquire at least B<entropy> bits of randomness,
	87	it must indicate an error by returning a buffer length of 0.
	88
	89	If B<prediction_resistance> was requested and the random source of the DRBG
	90	does not satisfy the conditions requested by [NIST SP 800-90C], then
	91	it must also indicate an error by returning a buffer length of 0.
	92	See NOTES section for more details.
	93
8c1cbc72	94	The B<cleanup_entropy>() callback is called from the B<drbg> to clear and
a73d990e	95	free the buffer allocated previously by get_entropy().
f7bef277	96	The values B<out> and B<outlen> are the random buffer's address and length,
a73d990e DMSP	97	as returned by the get_entropy() callback.
	98
	99	The B<get_nonce>() and B<cleanup_nonce>() callbacks are used to obtain a nonce
	100	and free it again. A nonce is only required for instantiation (not for reseeding)
	101	and only in the case where the DRBG uses a derivation function.
	102	The callbacks are analogous to get_entropy() and cleanup_entropy(),
	103	except for the missing prediction_resistance flag.
	104
	105	If the derivation function is disabled, then no nonce is used for instantiation,
	106	and the B<get_nonce>() and B<cleanup_nonce>() callbacks can be omitted by
	107	setting them to NULL.
	108
	109
	110	=head1 RETURN VALUES
	111
30a9d5d1 DMSP	112	RAND_DRBG_set_callbacks() returns 1 on success, and 0 on failure.
	113
	114	RAND_DRBG_set_callback_data() returns 1 on success, and 0 on failure.
	115
	116	RAND_DRBG_get_callback_data() returns the pointer to the callback data,
	117	which is NULL if none has been set previously.
a73d990e DMSP	118
	119	=head1 NOTES
	120
	121	It is important that B<cleanup_entropy>() and B<cleanup_nonce>() clear the buffer
	122	contents safely before freeing it, in order not to leave sensitive information
	123	about the DRBG's state in memory.
	124
	125	A request for prediction resistance can only be satisfied by pulling fresh
65175163 P	126	entropy from a live entropy source (section 5.5.2 of [NIST SP 800-90C]).
	127	It is up to the user to ensure that a live entropy source is configured
	128	and is being used.
a73d990e	129
f000e828 P	130	The derivation function is disabled by calling the RAND_DRBG_new_ex()
	131	function with the RAND_DRBG_FLAG_CTR_NO_DF flag. For more information on
	132	the derivation function and when it can be omitted, see [NIST SP 800-90A
	133	Rev. 1]. Roughly speaking it can be omitted if the random source has "full
dc4e74ef	134	entropy", that is, it contains 8 bits of entropy per byte. In a FIPS context,
f000e828	135	the derivation function can never be omitted.
a73d990e DMSP	136
	137	Even if a nonce is required, the B<get_nonce>() and B<cleanup_nonce>()
	138	callbacks can be omitted by setting them to NULL.
	139	In this case the DRBG will automatically request an extra amount of entropy
	140	(using the B<get_entropy>() and B<cleanup_entropy>() callbacks) which it will
	141	utilize for the nonce, following the recommendations of [NIST SP 800-90A Rev. 1],
	142	section 8.6.7.
	143
09066cf2	144	The callback data is a rather specialized feature, because in general the
30a9d5d1 DMSP	145	random sources don't (and in fact, they must not) depend on any state provided
	146	by the DRBG.
	147	There are however exceptional cases where this feature is useful, most notably
	148	for implementing known answer tests (KATs) or deterministic signatures like
	149	those specified in RFC6979, which require passing a specified entropy and nonce
	150	for instantiating the DRBG.
	151
a73d990e DMSP	152	=head1 SEE ALSO
	153
	154	L<RAND_DRBG_new(3)>,
	155	L<RAND_DRBG_reseed(3)>,
	156	L<RAND_DRBG(7)>
	157
b5c4bbbe JL	158	=head1 HISTORY
	159
	160	The RAND_DRBG functions were added in OpenSSL 1.1.1.
	161
a73d990e DMSP	162	=head1 COPYRIGHT
a73d990e DMSP	163
33388b44	164	Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
a73d990e	165
4746f25a	166	Licensed under the Apache License 2.0 (the "License"). You may not use
a73d990e DMSP	167	this file except in compliance with the License. You can obtain a copy
	168	in the file LICENSE in the source distribution or at
	169	L<https://www.openssl.org/source/license.html>.
	170
	171	=cut