029cc6e77cdc2681e4380aaa6a5cd551b163b4bf
[openssl.git] / crypto / rand / drbg_lib.c
1 /*
2  * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include <string.h>
11 #include <openssl/crypto.h>
12 #include <openssl/err.h>
13 #include <openssl/rand.h>
14 #include "rand_local.h"
15 #include "internal/thread_once.h"
16 #include "crypto/rand.h"
17 #include "crypto/cryptlib.h"
18
19 /*
20  * Support framework for NIST SP 800-90A DRBG
21  *
22  * See manual page RAND_DRBG(7) for a general overview.
23  *
24  * The OpenSSL model is to have new and free functions, and that new
25  * does all initialization.  That is not the NIST model, which has
26  * instantiation and un-instantiate, and re-use within a new/free
27  * lifecycle.  (No doubt this comes from the desire to support hardware
28  * DRBG, where allocation of resources on something like an HSM is
29  * a much bigger deal than just re-setting an allocated resource.)
30  */
31
32
33 typedef struct drbg_global_st {
34     /*
35      * The three shared DRBG instances
36      *
37      * There are three shared DRBG instances: <master>, <public>, and <private>.
38      */
39
40     /*
41      * The <master> DRBG
42      *
43      * Not used directly by the application, only for reseeding the two other
44      * DRBGs. It reseeds itself by pulling either randomness from os entropy
45      * sources or by consuming randomness which was added by RAND_add().
46      *
47      * The <master> DRBG is a global instance which is accessed concurrently by
48      * all threads. The necessary locking is managed automatically by its child
49      * DRBG instances during reseeding.
50      */
51     RAND_DRBG *master_drbg;
52     /*
53      * The <public> DRBG
54      *
55      * Used by default for generating random bytes using RAND_bytes().
56      *
57      * The <public> DRBG is thread-local, i.e., there is one instance per
58      * thread.
59      */
60     CRYPTO_THREAD_LOCAL public_drbg;
61     /*
62      * The <private> DRBG
63      *
64      * Used by default for generating private keys using RAND_priv_bytes()
65      *
66      * The <private> DRBG is thread-local, i.e., there is one instance per
67      * thread.
68      */
69     CRYPTO_THREAD_LOCAL private_drbg;
70 } DRBG_GLOBAL;
71
72 typedef struct drbg_nonce_global_st {
73     CRYPTO_RWLOCK *rand_nonce_lock;
74     int rand_nonce_count;
75 } DRBG_NONCE_GLOBAL;
76
77 /* NIST SP 800-90A DRBG recommends the use of a personalization string. */
78 static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
79
80 #define RAND_DRBG_TYPE_FLAGS    ( \
81     RAND_DRBG_FLAG_MASTER | RAND_DRBG_FLAG_PUBLIC | RAND_DRBG_FLAG_PRIVATE )
82
83 #define RAND_DRBG_TYPE_MASTER                     0
84 #define RAND_DRBG_TYPE_PUBLIC                     1
85 #define RAND_DRBG_TYPE_PRIVATE                    2
86
87 /* Defaults */
88 static int rand_drbg_type[3] = {
89     RAND_DRBG_TYPE, /* Master */
90     RAND_DRBG_TYPE, /* Public */
91     RAND_DRBG_TYPE  /* Private */
92 };
93 static unsigned int rand_drbg_flags[3] = {
94     RAND_DRBG_FLAGS | RAND_DRBG_FLAG_MASTER, /* Master */
95     RAND_DRBG_FLAGS | RAND_DRBG_FLAG_PUBLIC, /* Public */
96     RAND_DRBG_FLAGS | RAND_DRBG_FLAG_PRIVATE /* Private */
97 };
98
99 static unsigned int master_reseed_interval = MASTER_RESEED_INTERVAL;
100 static unsigned int slave_reseed_interval  = SLAVE_RESEED_INTERVAL;
101
102 static time_t master_reseed_time_interval = MASTER_RESEED_TIME_INTERVAL;
103 static time_t slave_reseed_time_interval  = SLAVE_RESEED_TIME_INTERVAL;
104
105 /* A logical OR of all used DRBG flag bits (currently there is only one) */
106 static const unsigned int rand_drbg_used_flags =
107     RAND_DRBG_FLAG_CTR_NO_DF | RAND_DRBG_FLAG_HMAC | RAND_DRBG_TYPE_FLAGS;
108
109
110 static RAND_DRBG *drbg_setup(OPENSSL_CTX *ctx, RAND_DRBG *parent, int drbg_type);
111
112 static RAND_DRBG *rand_drbg_new(OPENSSL_CTX *ctx,
113                                 int secure,
114                                 int type,
115                                 unsigned int flags,
116                                 RAND_DRBG *parent);
117
118 static int is_ctr(int type)
119 {
120     switch (type) {
121     case NID_aes_128_ctr:
122     case NID_aes_192_ctr:
123     case NID_aes_256_ctr:
124         return 1;
125     default:
126         return 0;
127     }
128 }
129
130 static int is_digest(int type)
131 {
132     switch (type) {
133     case NID_sha1:
134     case NID_sha224:
135     case NID_sha256:
136     case NID_sha384:
137     case NID_sha512:
138     case NID_sha512_224:
139     case NID_sha512_256:
140     case NID_sha3_224:
141     case NID_sha3_256:
142     case NID_sha3_384:
143     case NID_sha3_512:
144         return 1;
145     default:
146         return 0;
147     }
148 }
149
150 /*
151  * Initialize the OPENSSL_CTX global DRBGs on first use.
152  * Returns the allocated global data on success or NULL on failure.
153  */
154 static void *drbg_ossl_ctx_new(OPENSSL_CTX *libctx)
155 {
156     DRBG_GLOBAL *dgbl = OPENSSL_zalloc(sizeof(*dgbl));
157
158     if (dgbl == NULL)
159         return NULL;
160
161 #ifndef FIPS_MODE
162     /*
163      * We need to ensure that base libcrypto thread handling has been
164      * initialised.
165      */
166      OPENSSL_init_crypto(0, NULL);
167 #endif
168
169     if (!CRYPTO_THREAD_init_local(&dgbl->private_drbg, NULL))
170         goto err1;
171
172     if (!CRYPTO_THREAD_init_local(&dgbl->public_drbg, NULL))
173         goto err2;
174
175     dgbl->master_drbg = drbg_setup(libctx, NULL, RAND_DRBG_TYPE_MASTER);
176     if (dgbl->master_drbg == NULL)
177         goto err3;
178
179     return dgbl;
180
181  err3:
182     CRYPTO_THREAD_cleanup_local(&dgbl->public_drbg);
183  err2:
184     CRYPTO_THREAD_cleanup_local(&dgbl->private_drbg);
185  err1:
186     OPENSSL_free(dgbl);
187     return NULL;
188 }
189
190 static void drbg_ossl_ctx_free(void *vdgbl)
191 {
192     DRBG_GLOBAL *dgbl = vdgbl;
193
194     if (dgbl == NULL)
195         return;
196
197     RAND_DRBG_free(dgbl->master_drbg);
198     CRYPTO_THREAD_cleanup_local(&dgbl->private_drbg);
199     CRYPTO_THREAD_cleanup_local(&dgbl->public_drbg);
200
201     OPENSSL_free(dgbl);
202 }
203
204 static const OPENSSL_CTX_METHOD drbg_ossl_ctx_method = {
205     drbg_ossl_ctx_new,
206     drbg_ossl_ctx_free,
207 };
208
209 /*
210  * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce()
211  * which needs to get the rand_nonce_lock out of the OPENSSL_CTX...but since
212  * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock
213  * to be in a different global data object. Otherwise we will go into an
214  * infinite recursion loop.
215  */
216 static void *drbg_nonce_ossl_ctx_new(OPENSSL_CTX *libctx)
217 {
218     DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl));
219
220     if (dngbl == NULL)
221         return NULL;
222
223     dngbl->rand_nonce_lock = CRYPTO_THREAD_lock_new();
224     if (dngbl->rand_nonce_lock == NULL) {
225         OPENSSL_free(dngbl);
226         return NULL;
227     }
228
229     return dngbl;
230 }
231
232 static void drbg_nonce_ossl_ctx_free(void *vdngbl)
233 {
234     DRBG_NONCE_GLOBAL *dngbl = vdngbl;
235
236     if (dngbl == NULL)
237         return;
238
239     CRYPTO_THREAD_lock_free(dngbl->rand_nonce_lock);
240
241     OPENSSL_free(dngbl);
242 }
243
244 static const OPENSSL_CTX_METHOD drbg_nonce_ossl_ctx_method = {
245     drbg_nonce_ossl_ctx_new,
246     drbg_nonce_ossl_ctx_free,
247 };
248
249 static DRBG_GLOBAL *drbg_get_global(OPENSSL_CTX *libctx)
250 {
251     return openssl_ctx_get_data(libctx, OPENSSL_CTX_DRBG_INDEX,
252                                 &drbg_ossl_ctx_method);
253 }
254
255 /* Implements the get_nonce() callback (see RAND_DRBG_set_callbacks()) */
256 size_t rand_drbg_get_nonce(RAND_DRBG *drbg,
257                            unsigned char **pout,
258                            int entropy, size_t min_len, size_t max_len)
259 {
260     size_t ret = 0;
261     RAND_POOL *pool;
262     DRBG_NONCE_GLOBAL *dngbl
263         = openssl_ctx_get_data(drbg->libctx, OPENSSL_CTX_DRBG_NONCE_INDEX,
264                                &drbg_nonce_ossl_ctx_method);
265     struct {
266         void *instance;
267         int count;
268     } data;
269
270     if (dngbl == NULL)
271         return 0;
272
273     memset(&data, 0, sizeof(data));
274     pool = rand_pool_new(0, 0, min_len, max_len);
275     if (pool == NULL)
276         return 0;
277
278     if (rand_pool_add_nonce_data(pool) == 0)
279         goto err;
280
281     data.instance = drbg;
282     CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count,
283                       dngbl->rand_nonce_lock);
284
285     if (rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0) == 0)
286         goto err;
287
288     ret   = rand_pool_length(pool);
289     *pout = rand_pool_detach(pool);
290
291  err:
292     rand_pool_free(pool);
293
294     return ret;
295 }
296
297 /*
298  * Implements the cleanup_nonce() callback (see RAND_DRBG_set_callbacks())
299  *
300  */
301 void rand_drbg_cleanup_nonce(RAND_DRBG *drbg,
302                              unsigned char *out, size_t outlen)
303 {
304     OPENSSL_clear_free(out, outlen);
305 }
306
307 /*
308  * Set the |drbg|'s callback data pointer for the entropy and nonce callbacks
309  *
310  * The ownership of the context data remains with the caller,
311  * i.e., it is the caller's responsibility to keep it available as long
312  * as it is need by the callbacks and free it after use.
313  *
314  * Setting the callback data is allowed only if the drbg has not been
315  * initialized yet. Otherwise, the operation will fail.
316  *
317  * Returns 1 on success, 0 on failure.
318  */
319 int RAND_DRBG_set_callback_data(RAND_DRBG *drbg, void *data)
320 {
321     if (drbg->state != DRBG_UNINITIALISED
322         || drbg->parent != NULL)
323         return 0;
324
325     drbg->callback_data = data;
326     return 1;
327 }
328
329 /* Retrieve the callback data pointer */
330 void *RAND_DRBG_get_callback_data(RAND_DRBG *drbg)
331 {
332     return drbg->callback_data;
333 }
334
335 /*
336  * Set/initialize |drbg| to be of type |type|, with optional |flags|.
337  *
338  * If |type| and |flags| are zero, use the defaults
339  *
340  * Returns 1 on success, 0 on failure.
341  */
342 int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
343 {
344     int ret = 1;
345
346     if (type == 0 && flags == 0) {
347         type = rand_drbg_type[RAND_DRBG_TYPE_MASTER];
348         flags = rand_drbg_flags[RAND_DRBG_TYPE_MASTER];
349     }
350
351     /* If set is called multiple times - clear the old one */
352     if (drbg->type != 0 && (type != drbg->type || flags != drbg->flags)) {
353         drbg->meth->uninstantiate(drbg);
354         rand_pool_free(drbg->adin_pool);
355         drbg->adin_pool = NULL;
356     }
357
358     drbg->state = DRBG_UNINITIALISED;
359     drbg->flags = flags;
360     drbg->type = type;
361
362     if (type == 0) {
363         /* Uninitialized; that's okay. */
364         drbg->meth = NULL;
365         return 1;
366     } else if (is_ctr(type)) {
367         ret = drbg_ctr_init(drbg);
368     } else if (is_digest(type)) {
369         if (flags & RAND_DRBG_FLAG_HMAC)
370             ret = drbg_hmac_init(drbg);
371         else
372             ret = drbg_hash_init(drbg);
373     } else {
374         drbg->type = 0;
375         drbg->flags = 0;
376         drbg->meth = NULL;
377         RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
378         return 0;
379     }
380
381     if (ret == 0) {
382         drbg->state = DRBG_ERROR;
383         RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG);
384     }
385     return ret;
386 }
387
388 /*
389  * Set/initialize default |type| and |flag| for new drbg instances.
390  *
391  * Returns 1 on success, 0 on failure.
392  */
393 int RAND_DRBG_set_defaults(int type, unsigned int flags)
394 {
395     int all;
396     if (!(is_digest(type) || is_ctr(type))) {
397         RANDerr(RAND_F_RAND_DRBG_SET_DEFAULTS, RAND_R_UNSUPPORTED_DRBG_TYPE);
398         return 0;
399     }
400
401     if ((flags & ~rand_drbg_used_flags) != 0) {
402         RANDerr(RAND_F_RAND_DRBG_SET_DEFAULTS, RAND_R_UNSUPPORTED_DRBG_FLAGS);
403         return 0;
404     }
405
406     all = ((flags & RAND_DRBG_TYPE_FLAGS) == 0);
407     if (all || (flags & RAND_DRBG_FLAG_MASTER) != 0) {
408         rand_drbg_type[RAND_DRBG_TYPE_MASTER] = type;
409         rand_drbg_flags[RAND_DRBG_TYPE_MASTER] = flags | RAND_DRBG_FLAG_MASTER;
410     }
411     if (all || (flags & RAND_DRBG_FLAG_PUBLIC) != 0) {
412         rand_drbg_type[RAND_DRBG_TYPE_PUBLIC]  = type;
413         rand_drbg_flags[RAND_DRBG_TYPE_PUBLIC] = flags | RAND_DRBG_FLAG_PUBLIC;
414     }
415     if (all || (flags & RAND_DRBG_FLAG_PRIVATE) != 0) {
416         rand_drbg_type[RAND_DRBG_TYPE_PRIVATE] = type;
417         rand_drbg_flags[RAND_DRBG_TYPE_PRIVATE] = flags | RAND_DRBG_FLAG_PRIVATE;
418     }
419     return 1;
420 }
421
422
423 /*
424  * Allocate memory and initialize a new DRBG. The DRBG is allocated on
425  * the secure heap if |secure| is nonzero and the secure heap is enabled.
426  * The |parent|, if not NULL, will be used as random source for reseeding.
427  *
428  * Returns a pointer to the new DRBG instance on success, NULL on failure.
429  */
430 static RAND_DRBG *rand_drbg_new(OPENSSL_CTX *ctx,
431                                 int secure,
432                                 int type,
433                                 unsigned int flags,
434                                 RAND_DRBG *parent)
435 {
436     RAND_DRBG *drbg = secure ? OPENSSL_secure_zalloc(sizeof(*drbg))
437                              : OPENSSL_zalloc(sizeof(*drbg));
438
439     if (drbg == NULL) {
440         RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE);
441         return NULL;
442     }
443
444     drbg->libctx = ctx;
445     drbg->secure = secure && CRYPTO_secure_allocated(drbg);
446     drbg->fork_id = openssl_get_fork_id();
447     drbg->parent = parent;
448
449     if (parent == NULL) {
450 #ifdef FIPS_MODE
451         drbg->get_entropy = rand_crngt_get_entropy;
452         drbg->cleanup_entropy = rand_crngt_cleanup_entropy;
453 #else
454         drbg->get_entropy = rand_drbg_get_entropy;
455         drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
456 #endif
457 #ifndef RAND_DRBG_GET_RANDOM_NONCE
458         drbg->get_nonce = rand_drbg_get_nonce;
459         drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
460 #endif
461
462         drbg->reseed_interval = master_reseed_interval;
463         drbg->reseed_time_interval = master_reseed_time_interval;
464     } else {
465         drbg->get_entropy = rand_drbg_get_entropy;
466         drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
467         /*
468          * Do not provide nonce callbacks, the child DRBGs will
469          * obtain their nonce using random bits from the parent.
470          */
471
472         drbg->reseed_interval = slave_reseed_interval;
473         drbg->reseed_time_interval = slave_reseed_time_interval;
474     }
475
476     if (RAND_DRBG_set(drbg, type, flags) == 0)
477         goto err;
478
479     if (parent != NULL) {
480         rand_drbg_lock(parent);
481         if (drbg->strength > parent->strength) {
482             /*
483              * We currently don't support the algorithm from NIST SP 800-90C
484              * 10.1.2 to use a weaker DRBG as source
485              */
486             rand_drbg_unlock(parent);
487             RANDerr(RAND_F_RAND_DRBG_NEW, RAND_R_PARENT_STRENGTH_TOO_WEAK);
488             goto err;
489         }
490         rand_drbg_unlock(parent);
491     }
492
493     return drbg;
494
495  err:
496     RAND_DRBG_free(drbg);
497
498     return NULL;
499 }
500
501 RAND_DRBG *RAND_DRBG_new_ex(OPENSSL_CTX *ctx, int type, unsigned int flags,
502                             RAND_DRBG *parent)
503 {
504     return rand_drbg_new(ctx, 0, type, flags, parent);
505 }
506
507 RAND_DRBG *RAND_DRBG_new(int type, unsigned int flags, RAND_DRBG *parent)
508 {
509     return RAND_DRBG_new_ex(NULL, type, flags, parent);
510 }
511
512 RAND_DRBG *RAND_DRBG_secure_new_ex(OPENSSL_CTX *ctx, int type,
513                                    unsigned int flags, RAND_DRBG *parent)
514 {
515     return rand_drbg_new(ctx, 1, type, flags, parent);
516 }
517
518 RAND_DRBG *RAND_DRBG_secure_new(int type, unsigned int flags, RAND_DRBG *parent)
519 {
520     return RAND_DRBG_secure_new_ex(NULL, type, flags, parent);
521 }
522 /*
523  * Uninstantiate |drbg| and free all memory.
524  */
525 void RAND_DRBG_free(RAND_DRBG *drbg)
526 {
527     if (drbg == NULL)
528         return;
529
530     if (drbg->meth != NULL)
531         drbg->meth->uninstantiate(drbg);
532     rand_pool_free(drbg->adin_pool);
533     CRYPTO_THREAD_lock_free(drbg->lock);
534 #ifndef FIPS_MODE
535     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RAND_DRBG, drbg, &drbg->ex_data);
536 #endif
537
538     if (drbg->secure)
539         OPENSSL_secure_clear_free(drbg, sizeof(*drbg));
540     else
541         OPENSSL_clear_free(drbg, sizeof(*drbg));
542 }
543
544 /*
545  * Instantiate |drbg|, after it has been initialized.  Use |pers| and
546  * |perslen| as prediction-resistance input.
547  *
548  * Requires that drbg->lock is already locked for write, if non-null.
549  *
550  * Returns 1 on success, 0 on failure.
551  */
552 int RAND_DRBG_instantiate(RAND_DRBG *drbg,
553                           const unsigned char *pers, size_t perslen)
554 {
555     unsigned char *nonce = NULL, *entropy = NULL;
556     size_t noncelen = 0, entropylen = 0;
557     size_t min_entropy = drbg->strength;
558     size_t min_entropylen = drbg->min_entropylen;
559     size_t max_entropylen = drbg->max_entropylen;
560
561     if (perslen > drbg->max_perslen) {
562         RANDerr(RAND_F_RAND_DRBG_INSTANTIATE,
563                 RAND_R_PERSONALISATION_STRING_TOO_LONG);
564         goto end;
565     }
566
567     if (drbg->meth == NULL) {
568         RANDerr(RAND_F_RAND_DRBG_INSTANTIATE,
569                 RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
570         goto end;
571     }
572
573     if (drbg->state != DRBG_UNINITIALISED) {
574         if (drbg->state == DRBG_ERROR)
575             RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_IN_ERROR_STATE);
576         else
577             RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ALREADY_INSTANTIATED);
578         goto end;
579     }
580
581     drbg->state = DRBG_ERROR;
582
583     /*
584      * NIST SP800-90Ar1 section 9.1 says you can combine getting the entropy
585      * and nonce in 1 call by increasing the entropy with 50% and increasing
586      * the minimum length to accommodate the length of the nonce.
587      * We do this in case a nonce is require and get_nonce is NULL.
588      */
589     if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) {
590         min_entropy += drbg->strength / 2;
591         min_entropylen += drbg->min_noncelen;
592         max_entropylen += drbg->max_noncelen;
593     }
594
595     drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
596     if (drbg->reseed_next_counter) {
597         drbg->reseed_next_counter++;
598         if(!drbg->reseed_next_counter)
599             drbg->reseed_next_counter = 1;
600     }
601
602     if (drbg->get_entropy != NULL)
603         entropylen = drbg->get_entropy(drbg, &entropy, min_entropy,
604                                        min_entropylen, max_entropylen, 0);
605     if (entropylen < min_entropylen
606             || entropylen > max_entropylen) {
607         RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_RETRIEVING_ENTROPY);
608         goto end;
609     }
610
611     if (drbg->min_noncelen > 0 && drbg->get_nonce != NULL) {
612         noncelen = drbg->get_nonce(drbg, &nonce, drbg->strength / 2,
613                                    drbg->min_noncelen, drbg->max_noncelen);
614         if (noncelen < drbg->min_noncelen || noncelen > drbg->max_noncelen) {
615             RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_RETRIEVING_NONCE);
616             goto end;
617         }
618     }
619
620     if (!drbg->meth->instantiate(drbg, entropy, entropylen,
621                          nonce, noncelen, pers, perslen)) {
622         RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_INSTANTIATING_DRBG);
623         goto end;
624     }
625
626     drbg->state = DRBG_READY;
627     drbg->reseed_gen_counter = 1;
628     drbg->reseed_time = time(NULL);
629     tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
630
631  end:
632     if (entropy != NULL && drbg->cleanup_entropy != NULL)
633         drbg->cleanup_entropy(drbg, entropy, entropylen);
634     if (nonce != NULL && drbg->cleanup_nonce != NULL)
635         drbg->cleanup_nonce(drbg, nonce, noncelen);
636     if (drbg->state == DRBG_READY)
637         return 1;
638     return 0;
639 }
640
641 /*
642  * Uninstantiate |drbg|. Must be instantiated before it can be used.
643  *
644  * Requires that drbg->lock is already locked for write, if non-null.
645  *
646  * Returns 1 on success, 0 on failure.
647  */
648 int RAND_DRBG_uninstantiate(RAND_DRBG *drbg)
649 {
650     int index = -1, type, flags;
651     if (drbg->meth == NULL) {
652         drbg->state = DRBG_ERROR;
653         RANDerr(RAND_F_RAND_DRBG_UNINSTANTIATE,
654                 RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
655         return 0;
656     }
657
658     /* Clear the entire drbg->ctr struct, then reset some important
659      * members of the drbg->ctr struct (e.g. keysize, df_ks) to their
660      * initial values.
661      */
662     drbg->meth->uninstantiate(drbg);
663
664     /* The reset uses the default values for type and flags */
665     if (drbg->flags & RAND_DRBG_FLAG_MASTER)
666         index = RAND_DRBG_TYPE_MASTER;
667     else if (drbg->flags & RAND_DRBG_FLAG_PRIVATE)
668         index = RAND_DRBG_TYPE_PRIVATE;
669     else if (drbg->flags & RAND_DRBG_FLAG_PUBLIC)
670         index = RAND_DRBG_TYPE_PUBLIC;
671
672     if (index != -1) {
673         flags = rand_drbg_flags[index];
674         type = rand_drbg_type[index];
675     } else {
676         flags = drbg->flags;
677         type = drbg->type;
678     }
679     return RAND_DRBG_set(drbg, type, flags);
680 }
681
682 /*
683  * Reseed |drbg|, mixing in the specified data
684  *
685  * Requires that drbg->lock is already locked for write, if non-null.
686  *
687  * Returns 1 on success, 0 on failure.
688  */
689 int RAND_DRBG_reseed(RAND_DRBG *drbg,
690                      const unsigned char *adin, size_t adinlen,
691                      int prediction_resistance)
692 {
693     unsigned char *entropy = NULL;
694     size_t entropylen = 0;
695
696     if (drbg->state == DRBG_ERROR) {
697         RANDerr(RAND_F_RAND_DRBG_RESEED, RAND_R_IN_ERROR_STATE);
698         return 0;
699     }
700     if (drbg->state == DRBG_UNINITIALISED) {
701         RANDerr(RAND_F_RAND_DRBG_RESEED, RAND_R_NOT_INSTANTIATED);
702         return 0;
703     }
704
705     if (adin == NULL) {
706         adinlen = 0;
707     } else if (adinlen > drbg->max_adinlen) {
708         RANDerr(RAND_F_RAND_DRBG_RESEED, RAND_R_ADDITIONAL_INPUT_TOO_LONG);
709         return 0;
710     }
711
712     drbg->state = DRBG_ERROR;
713
714     drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
715     if (drbg->reseed_next_counter) {
716         drbg->reseed_next_counter++;
717         if(!drbg->reseed_next_counter)
718             drbg->reseed_next_counter = 1;
719     }
720
721     if (drbg->get_entropy != NULL)
722         entropylen = drbg->get_entropy(drbg, &entropy, drbg->strength,
723                                        drbg->min_entropylen,
724                                        drbg->max_entropylen,
725                                        prediction_resistance);
726     if (entropylen < drbg->min_entropylen
727             || entropylen > drbg->max_entropylen) {
728         RANDerr(RAND_F_RAND_DRBG_RESEED, RAND_R_ERROR_RETRIEVING_ENTROPY);
729         goto end;
730     }
731
732     if (!drbg->meth->reseed(drbg, entropy, entropylen, adin, adinlen))
733         goto end;
734
735     drbg->state = DRBG_READY;
736     drbg->reseed_gen_counter = 1;
737     drbg->reseed_time = time(NULL);
738     tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
739
740  end:
741     if (entropy != NULL && drbg->cleanup_entropy != NULL)
742         drbg->cleanup_entropy(drbg, entropy, entropylen);
743     if (drbg->state == DRBG_READY)
744         return 1;
745     return 0;
746 }
747
748 /*
749  * Restart |drbg|, using the specified entropy or additional input
750  *
751  * Tries its best to get the drbg instantiated by all means,
752  * regardless of its current state.
753  *
754  * Optionally, a |buffer| of |len| random bytes can be passed,
755  * which is assumed to contain at least |entropy| bits of entropy.
756  *
757  * If |entropy| > 0, the buffer content is used as entropy input.
758  *
759  * If |entropy| == 0, the buffer content is used as additional input
760  *
761  * Returns 1 on success, 0 on failure.
762  *
763  * This function is used internally only.
764  */
765 int rand_drbg_restart(RAND_DRBG *drbg,
766                       const unsigned char *buffer, size_t len, size_t entropy)
767 {
768     int reseeded = 0;
769     const unsigned char *adin = NULL;
770     size_t adinlen = 0;
771
772     if (drbg->seed_pool != NULL) {
773         RANDerr(RAND_F_RAND_DRBG_RESTART, ERR_R_INTERNAL_ERROR);
774         drbg->state = DRBG_ERROR;
775         rand_pool_free(drbg->seed_pool);
776         drbg->seed_pool = NULL;
777         return 0;
778     }
779
780     if (buffer != NULL) {
781         if (entropy > 0) {
782             if (drbg->max_entropylen < len) {
783                 RANDerr(RAND_F_RAND_DRBG_RESTART,
784                     RAND_R_ENTROPY_INPUT_TOO_LONG);
785                 drbg->state = DRBG_ERROR;
786                 return 0;
787             }
788
789             if (entropy > 8 * len) {
790                 RANDerr(RAND_F_RAND_DRBG_RESTART, RAND_R_ENTROPY_OUT_OF_RANGE);
791                 drbg->state = DRBG_ERROR;
792                 return 0;
793             }
794
795             /* will be picked up by the rand_drbg_get_entropy() callback */
796             drbg->seed_pool = rand_pool_attach(buffer, len, entropy);
797             if (drbg->seed_pool == NULL)
798                 return 0;
799         } else {
800             if (drbg->max_adinlen < len) {
801                 RANDerr(RAND_F_RAND_DRBG_RESTART,
802                         RAND_R_ADDITIONAL_INPUT_TOO_LONG);
803                 drbg->state = DRBG_ERROR;
804                 return 0;
805             }
806             adin = buffer;
807             adinlen = len;
808         }
809     }
810
811     /* repair error state */
812     if (drbg->state == DRBG_ERROR)
813         RAND_DRBG_uninstantiate(drbg);
814
815     /* repair uninitialized state */
816     if (drbg->state == DRBG_UNINITIALISED) {
817         /* reinstantiate drbg */
818         RAND_DRBG_instantiate(drbg,
819                               (const unsigned char *) ossl_pers_string,
820                               sizeof(ossl_pers_string) - 1);
821         /* already reseeded. prevent second reseeding below */
822         reseeded = (drbg->state == DRBG_READY);
823     }
824
825     /* refresh current state if entropy or additional input has been provided */
826     if (drbg->state == DRBG_READY) {
827         if (adin != NULL) {
828             /*
829              * mix in additional input without reseeding
830              *
831              * Similar to RAND_DRBG_reseed(), but the provided additional
832              * data |adin| is mixed into the current state without pulling
833              * entropy from the trusted entropy source using get_entropy().
834              * This is not a reseeding in the strict sense of NIST SP 800-90A.
835              */
836             drbg->meth->reseed(drbg, adin, adinlen, NULL, 0);
837         } else if (reseeded == 0) {
838             /* do a full reseeding if it has not been done yet above */
839             RAND_DRBG_reseed(drbg, NULL, 0, 0);
840         }
841     }
842
843     rand_pool_free(drbg->seed_pool);
844     drbg->seed_pool = NULL;
845
846     return drbg->state == DRBG_READY;
847 }
848
849 /*
850  * Generate |outlen| bytes into the buffer at |out|.  Reseed if we need
851  * to or if |prediction_resistance| is set.  Additional input can be
852  * sent in |adin| and |adinlen|.
853  *
854  * Requires that drbg->lock is already locked for write, if non-null.
855  *
856  * Returns 1 on success, 0 on failure.
857  *
858  */
859 int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
860                        int prediction_resistance,
861                        const unsigned char *adin, size_t adinlen)
862 {
863     int fork_id;
864     int reseed_required = 0;
865
866     if (drbg->state != DRBG_READY) {
867         /* try to recover from previous errors */
868         rand_drbg_restart(drbg, NULL, 0, 0);
869
870         if (drbg->state == DRBG_ERROR) {
871             RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_IN_ERROR_STATE);
872             return 0;
873         }
874         if (drbg->state == DRBG_UNINITIALISED) {
875             RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_NOT_INSTANTIATED);
876             return 0;
877         }
878     }
879
880     if (outlen > drbg->max_request) {
881         RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_REQUEST_TOO_LARGE_FOR_DRBG);
882         return 0;
883     }
884     if (adinlen > drbg->max_adinlen) {
885         RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_ADDITIONAL_INPUT_TOO_LONG);
886         return 0;
887     }
888
889     fork_id = openssl_get_fork_id();
890
891     if (drbg->fork_id != fork_id) {
892         drbg->fork_id = fork_id;
893         reseed_required = 1;
894     }
895
896     if (drbg->reseed_interval > 0) {
897         if (drbg->reseed_gen_counter > drbg->reseed_interval)
898             reseed_required = 1;
899     }
900     if (drbg->reseed_time_interval > 0) {
901         time_t now = time(NULL);
902         if (now < drbg->reseed_time
903             || now - drbg->reseed_time >= drbg->reseed_time_interval)
904             reseed_required = 1;
905     }
906     if (drbg->parent != NULL) {
907         unsigned int reseed_counter = tsan_load(&drbg->reseed_prop_counter);
908         if (reseed_counter > 0
909                 && tsan_load(&drbg->parent->reseed_prop_counter)
910                    != reseed_counter)
911             reseed_required = 1;
912     }
913
914     if (reseed_required || prediction_resistance) {
915         if (!RAND_DRBG_reseed(drbg, adin, adinlen, prediction_resistance)) {
916             RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_RESEED_ERROR);
917             return 0;
918         }
919         adin = NULL;
920         adinlen = 0;
921     }
922
923     if (!drbg->meth->generate(drbg, out, outlen, adin, adinlen)) {
924         drbg->state = DRBG_ERROR;
925         RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_GENERATE_ERROR);
926         return 0;
927     }
928
929     drbg->reseed_gen_counter++;
930
931     return 1;
932 }
933
934 /*
935  * Generates |outlen| random bytes and stores them in |out|. It will
936  * using the given |drbg| to generate the bytes.
937  *
938  * Requires that drbg->lock is already locked for write, if non-null.
939  *
940  * Returns 1 on success 0 on failure.
941  */
942 int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
943 {
944     unsigned char *additional = NULL;
945     size_t additional_len;
946     size_t chunk;
947     size_t ret = 0;
948
949     if (drbg->adin_pool == NULL) {
950         if (drbg->type == 0)
951             goto err;
952         drbg->adin_pool = rand_pool_new(0, 0, 0, drbg->max_adinlen);
953         if (drbg->adin_pool == NULL)
954             goto err;
955     }
956
957     additional_len = rand_drbg_get_additional_data(drbg->adin_pool,
958                                                    &additional);
959
960     for ( ; outlen > 0; outlen -= chunk, out += chunk) {
961         chunk = outlen;
962         if (chunk > drbg->max_request)
963             chunk = drbg->max_request;
964         ret = RAND_DRBG_generate(drbg, out, chunk, 0, additional, additional_len);
965         if (!ret)
966             goto err;
967     }
968     ret = 1;
969
970  err:
971     if (additional != NULL)
972         rand_drbg_cleanup_additional_data(drbg->adin_pool, additional);
973
974     return ret;
975 }
976
977 /*
978  * Set the RAND_DRBG callbacks for obtaining entropy and nonce.
979  *
980  * Setting the callbacks is allowed only if the drbg has not been
981  * initialized yet. Otherwise, the operation will fail.
982  *
983  * Returns 1 on success, 0 on failure.
984  */
985 int RAND_DRBG_set_callbacks(RAND_DRBG *drbg,
986                             RAND_DRBG_get_entropy_fn get_entropy,
987                             RAND_DRBG_cleanup_entropy_fn cleanup_entropy,
988                             RAND_DRBG_get_nonce_fn get_nonce,
989                             RAND_DRBG_cleanup_nonce_fn cleanup_nonce)
990 {
991     if (drbg->state != DRBG_UNINITIALISED
992             || drbg->parent != NULL)
993         return 0;
994     drbg->get_entropy = get_entropy;
995     drbg->cleanup_entropy = cleanup_entropy;
996     drbg->get_nonce = get_nonce;
997     drbg->cleanup_nonce = cleanup_nonce;
998     return 1;
999 }
1000
1001 /*
1002  * Set the reseed interval.
1003  *
1004  * The drbg will reseed automatically whenever the number of generate
1005  * requests exceeds the given reseed interval. If the reseed interval
1006  * is 0, then this feature is disabled.
1007  *
1008  * Returns 1 on success, 0 on failure.
1009  */
1010 int RAND_DRBG_set_reseed_interval(RAND_DRBG *drbg, unsigned int interval)
1011 {
1012     if (interval > MAX_RESEED_INTERVAL)
1013         return 0;
1014     drbg->reseed_interval = interval;
1015     return 1;
1016 }
1017
1018 /*
1019  * Set the reseed time interval.
1020  *
1021  * The drbg will reseed automatically whenever the time elapsed since
1022  * the last reseeding exceeds the given reseed time interval. For safety,
1023  * a reseeding will also occur if the clock has been reset to a smaller
1024  * value.
1025  *
1026  * Returns 1 on success, 0 on failure.
1027  */
1028 int RAND_DRBG_set_reseed_time_interval(RAND_DRBG *drbg, time_t interval)
1029 {
1030     if (interval > MAX_RESEED_TIME_INTERVAL)
1031         return 0;
1032     drbg->reseed_time_interval = interval;
1033     return 1;
1034 }
1035
1036 /*
1037  * Set the default values for reseed (time) intervals of new DRBG instances
1038  *
1039  * The default values can be set independently for master DRBG instances
1040  * (without a parent) and slave DRBG instances (with parent).
1041  *
1042  * Returns 1 on success, 0 on failure.
1043  */
1044
1045 int RAND_DRBG_set_reseed_defaults(
1046                                   unsigned int _master_reseed_interval,
1047                                   unsigned int _slave_reseed_interval,
1048                                   time_t _master_reseed_time_interval,
1049                                   time_t _slave_reseed_time_interval
1050                                   )
1051 {
1052     if (_master_reseed_interval > MAX_RESEED_INTERVAL
1053         || _slave_reseed_interval > MAX_RESEED_INTERVAL)
1054         return 0;
1055
1056     if (_master_reseed_time_interval > MAX_RESEED_TIME_INTERVAL
1057         || _slave_reseed_time_interval > MAX_RESEED_TIME_INTERVAL)
1058         return 0;
1059
1060     master_reseed_interval = _master_reseed_interval;
1061     slave_reseed_interval = _slave_reseed_interval;
1062
1063     master_reseed_time_interval = _master_reseed_time_interval;
1064     slave_reseed_time_interval = _slave_reseed_time_interval;
1065
1066     return 1;
1067 }
1068
1069 /*
1070  * Locks the given drbg. Locking a drbg which does not have locking
1071  * enabled is considered a successful no-op.
1072  *
1073  * Returns 1 on success, 0 on failure.
1074  */
1075 int rand_drbg_lock(RAND_DRBG *drbg)
1076 {
1077     if (drbg->lock != NULL)
1078         return CRYPTO_THREAD_write_lock(drbg->lock);
1079
1080     return 1;
1081 }
1082
1083 /*
1084  * Unlocks the given drbg. Unlocking a drbg which does not have locking
1085  * enabled is considered a successful no-op.
1086  *
1087  * Returns 1 on success, 0 on failure.
1088  */
1089 int rand_drbg_unlock(RAND_DRBG *drbg)
1090 {
1091     if (drbg->lock != NULL)
1092         return CRYPTO_THREAD_unlock(drbg->lock);
1093
1094     return 1;
1095 }
1096
1097 /*
1098  * Enables locking for the given drbg
1099  *
1100  * Locking can only be enabled if the random generator
1101  * is in the uninitialized state.
1102  *
1103  * Returns 1 on success, 0 on failure.
1104  */
1105 int rand_drbg_enable_locking(RAND_DRBG *drbg)
1106 {
1107     if (drbg->state != DRBG_UNINITIALISED) {
1108         RANDerr(RAND_F_RAND_DRBG_ENABLE_LOCKING,
1109                 RAND_R_DRBG_ALREADY_INITIALIZED);
1110         return 0;
1111     }
1112
1113     if (drbg->lock == NULL) {
1114         if (drbg->parent != NULL && drbg->parent->lock == NULL) {
1115             RANDerr(RAND_F_RAND_DRBG_ENABLE_LOCKING,
1116                     RAND_R_PARENT_LOCKING_NOT_ENABLED);
1117             return 0;
1118         }
1119
1120         drbg->lock = CRYPTO_THREAD_lock_new();
1121         if (drbg->lock == NULL) {
1122             RANDerr(RAND_F_RAND_DRBG_ENABLE_LOCKING,
1123                     RAND_R_FAILED_TO_CREATE_LOCK);
1124             return 0;
1125         }
1126     }
1127
1128     return 1;
1129 }
1130
1131 #ifndef FIPS_MODE
1132 /*
1133  * Get and set the EXDATA
1134  */
1135 int RAND_DRBG_set_ex_data(RAND_DRBG *drbg, int idx, void *arg)
1136 {
1137     return CRYPTO_set_ex_data(&drbg->ex_data, idx, arg);
1138 }
1139
1140 void *RAND_DRBG_get_ex_data(const RAND_DRBG *drbg, int idx)
1141 {
1142     return CRYPTO_get_ex_data(&drbg->ex_data, idx);
1143 }
1144 #endif
1145
1146 /*
1147  * The following functions provide a RAND_METHOD that works on the
1148  * global DRBG.  They lock.
1149  */
1150
1151 /*
1152  * Allocates a new global DRBG on the secure heap (if enabled) and
1153  * initializes it with default settings.
1154  *
1155  * Returns a pointer to the new DRBG instance on success, NULL on failure.
1156  */
1157 static RAND_DRBG *drbg_setup(OPENSSL_CTX *ctx, RAND_DRBG *parent, int drbg_type)
1158 {
1159     RAND_DRBG *drbg;
1160
1161     drbg = RAND_DRBG_secure_new_ex(ctx, rand_drbg_type[drbg_type],
1162                                    rand_drbg_flags[drbg_type], parent);
1163     if (drbg == NULL)
1164         return NULL;
1165
1166     /* Only the master DRBG needs to have a lock */
1167     if (parent == NULL && rand_drbg_enable_locking(drbg) == 0)
1168         goto err;
1169
1170     /* enable seed propagation */
1171     tsan_store(&drbg->reseed_prop_counter, 1);
1172
1173     /*
1174      * Ignore instantiation error to support just-in-time instantiation.
1175      *
1176      * The state of the drbg will be checked in RAND_DRBG_generate() and
1177      * an automatic recovery is attempted.
1178      */
1179     (void)RAND_DRBG_instantiate(drbg,
1180                                 (const unsigned char *) ossl_pers_string,
1181                                 sizeof(ossl_pers_string) - 1);
1182     return drbg;
1183
1184 err:
1185     RAND_DRBG_free(drbg);
1186     return NULL;
1187 }
1188
1189 static void drbg_delete_thread_state(void *arg)
1190 {
1191     OPENSSL_CTX *ctx = arg;
1192     DRBG_GLOBAL *dgbl = drbg_get_global(ctx);
1193     RAND_DRBG *drbg;
1194
1195     if (dgbl == NULL)
1196         return;
1197     drbg = CRYPTO_THREAD_get_local(&dgbl->public_drbg);
1198     CRYPTO_THREAD_set_local(&dgbl->public_drbg, NULL);
1199     RAND_DRBG_free(drbg);
1200
1201     drbg = CRYPTO_THREAD_get_local(&dgbl->private_drbg);
1202     CRYPTO_THREAD_set_local(&dgbl->private_drbg, NULL);
1203     RAND_DRBG_free(drbg);
1204 }
1205
1206 /* Implements the default OpenSSL RAND_bytes() method */
1207 static int drbg_bytes(unsigned char *out, int count)
1208 {
1209     int ret;
1210     RAND_DRBG *drbg = RAND_DRBG_get0_public();
1211
1212     if (drbg == NULL)
1213         return 0;
1214
1215     ret = RAND_DRBG_bytes(drbg, out, count);
1216
1217     return ret;
1218 }
1219
1220 /*
1221  * Calculates the minimum length of a full entropy buffer
1222  * which is necessary to seed (i.e. instantiate) the DRBG
1223  * successfully.
1224  */
1225 size_t rand_drbg_seedlen(RAND_DRBG *drbg)
1226 {
1227     /*
1228      * If no os entropy source is available then RAND_seed(buffer, bufsize)
1229      * is expected to succeed if and only if the buffer length satisfies
1230      * the following requirements, which follow from the calculations
1231      * in RAND_DRBG_instantiate().
1232      */
1233     size_t min_entropy = drbg->strength;
1234     size_t min_entropylen = drbg->min_entropylen;
1235
1236     /*
1237      * Extra entropy for the random nonce in the absence of a
1238      * get_nonce callback, see comment in RAND_DRBG_instantiate().
1239      */
1240     if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) {
1241         min_entropy += drbg->strength / 2;
1242         min_entropylen += drbg->min_noncelen;
1243     }
1244
1245     /*
1246      * Convert entropy requirement from bits to bytes
1247      * (dividing by 8 without rounding upwards, because
1248      * all entropy requirements are divisible by 8).
1249      */
1250     min_entropy >>= 3;
1251
1252     /* Return a value that satisfies both requirements */
1253     return min_entropy > min_entropylen ? min_entropy : min_entropylen;
1254 }
1255
1256 /* Implements the default OpenSSL RAND_add() method */
1257 static int drbg_add(const void *buf, int num, double randomness)
1258 {
1259     int ret = 0;
1260     RAND_DRBG *drbg = RAND_DRBG_get0_master();
1261     size_t buflen;
1262     size_t seedlen;
1263
1264     if (drbg == NULL)
1265         return 0;
1266
1267     if (num < 0 || randomness < 0.0)
1268         return 0;
1269
1270     rand_drbg_lock(drbg);
1271     seedlen = rand_drbg_seedlen(drbg);
1272
1273     buflen = (size_t)num;
1274
1275 #ifdef FIPS_MODE
1276     /*
1277      * NIST SP-800-90A mandates that entropy *shall not* be provided
1278      * by the consuming application. By setting the randomness to zero,
1279      * we ensure that the buffer contents will be added to the internal
1280      * state of the DRBG only as additional data.
1281      *
1282      * (NIST SP-800-90Ar1, Sections 9.1 and 9.2)
1283      */
1284     randomness = 0.0;
1285 #endif
1286     if (buflen < seedlen || randomness < (double) seedlen) {
1287 #if defined(OPENSSL_RAND_SEED_NONE)
1288         /*
1289          * If no os entropy source is available, a reseeding will fail
1290          * inevitably. So we use a trick to mix the buffer contents into
1291          * the DRBG state without forcing a reseeding: we generate a
1292          * dummy random byte, using the buffer content as additional data.
1293          * Note: This won't work with RAND_DRBG_FLAG_CTR_NO_DF.
1294          */
1295         unsigned char dummy[1];
1296
1297         ret = RAND_DRBG_generate(drbg, dummy, sizeof(dummy), 0, buf, buflen);
1298         rand_drbg_unlock(drbg);
1299         return ret;
1300 #else
1301         /*
1302          * If an os entropy source is available then we declare the buffer content
1303          * as additional data by setting randomness to zero and trigger a regular
1304          * reseeding.
1305          */
1306         randomness = 0.0;
1307 #endif
1308     }
1309
1310     if (randomness > (double)seedlen) {
1311         /*
1312          * The purpose of this check is to bound |randomness| by a
1313          * relatively small value in order to prevent an integer
1314          * overflow when multiplying by 8 in the rand_drbg_restart()
1315          * call below. Note that randomness is measured in bytes,
1316          * not bits, so this value corresponds to eight times the
1317          * security strength.
1318          */
1319         randomness = (double)seedlen;
1320     }
1321
1322     ret = rand_drbg_restart(drbg, buf, buflen, (size_t)(8 * randomness));
1323     rand_drbg_unlock(drbg);
1324
1325     return ret;
1326 }
1327
1328 /* Implements the default OpenSSL RAND_seed() method */
1329 static int drbg_seed(const void *buf, int num)
1330 {
1331     return drbg_add(buf, num, num);
1332 }
1333
1334 /* Implements the default OpenSSL RAND_status() method */
1335 static int drbg_status(void)
1336 {
1337     int ret;
1338     RAND_DRBG *drbg = RAND_DRBG_get0_master();
1339
1340     if (drbg == NULL)
1341         return 0;
1342
1343     rand_drbg_lock(drbg);
1344     ret = drbg->state == DRBG_READY ? 1 : 0;
1345     rand_drbg_unlock(drbg);
1346     return ret;
1347 }
1348
1349 /*
1350  * Get the master DRBG.
1351  * Returns pointer to the DRBG on success, NULL on failure.
1352  *
1353  */
1354 RAND_DRBG *OPENSSL_CTX_get0_master_drbg(OPENSSL_CTX *ctx)
1355 {
1356     DRBG_GLOBAL *dgbl = drbg_get_global(ctx);
1357
1358     if (dgbl == NULL)
1359         return NULL;
1360
1361     return dgbl->master_drbg;
1362 }
1363
1364 RAND_DRBG *RAND_DRBG_get0_master(void)
1365 {
1366     return OPENSSL_CTX_get0_master_drbg(NULL);
1367 }
1368
1369 /*
1370  * Get the public DRBG.
1371  * Returns pointer to the DRBG on success, NULL on failure.
1372  */
1373 RAND_DRBG *OPENSSL_CTX_get0_public_drbg(OPENSSL_CTX *ctx)
1374 {
1375     DRBG_GLOBAL *dgbl = drbg_get_global(ctx);
1376     RAND_DRBG *drbg;
1377
1378     if (dgbl == NULL)
1379         return NULL;
1380
1381     drbg = CRYPTO_THREAD_get_local(&dgbl->public_drbg);
1382     if (drbg == NULL) {
1383         ctx = openssl_ctx_get_concrete(ctx);
1384         /*
1385          * If the private_drbg is also NULL then this is the first time we've
1386          * used this thread.
1387          */
1388         if (CRYPTO_THREAD_get_local(&dgbl->private_drbg) == NULL
1389                 && !ossl_init_thread_start(NULL, ctx, drbg_delete_thread_state))
1390             return NULL;
1391         drbg = drbg_setup(ctx, dgbl->master_drbg, RAND_DRBG_TYPE_PUBLIC);
1392         CRYPTO_THREAD_set_local(&dgbl->public_drbg, drbg);
1393     }
1394     return drbg;
1395 }
1396
1397 RAND_DRBG *RAND_DRBG_get0_public(void)
1398 {
1399     return OPENSSL_CTX_get0_public_drbg(NULL);
1400 }
1401
1402 /*
1403  * Get the private DRBG.
1404  * Returns pointer to the DRBG on success, NULL on failure.
1405  */
1406 RAND_DRBG *OPENSSL_CTX_get0_private_drbg(OPENSSL_CTX *ctx)
1407 {
1408     DRBG_GLOBAL *dgbl = drbg_get_global(ctx);
1409     RAND_DRBG *drbg;
1410
1411     if (dgbl == NULL)
1412         return NULL;
1413
1414     drbg = CRYPTO_THREAD_get_local(&dgbl->private_drbg);
1415     if (drbg == NULL) {
1416         ctx = openssl_ctx_get_concrete(ctx);
1417         /*
1418          * If the public_drbg is also NULL then this is the first time we've
1419          * used this thread.
1420          */
1421         if (CRYPTO_THREAD_get_local(&dgbl->public_drbg) == NULL
1422                 && !ossl_init_thread_start(NULL, ctx, drbg_delete_thread_state))
1423             return NULL;
1424         drbg = drbg_setup(ctx, dgbl->master_drbg, RAND_DRBG_TYPE_PRIVATE);
1425         CRYPTO_THREAD_set_local(&dgbl->private_drbg, drbg);
1426     }
1427     return drbg;
1428 }
1429
1430 RAND_DRBG *RAND_DRBG_get0_private(void)
1431 {
1432     return OPENSSL_CTX_get0_private_drbg(NULL);
1433 }
1434
1435 RAND_METHOD rand_meth = {
1436     drbg_seed,
1437     drbg_bytes,
1438     NULL,
1439     drbg_add,
1440     drbg_bytes,
1441     drbg_status
1442 };
1443
1444 RAND_METHOD *RAND_OpenSSL(void)
1445 {
1446 #ifndef FIPS_MODE
1447     return &rand_meth;
1448 #else
1449     return NULL;
1450 #endif
1451 }