2 * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/crypto.h>
12 #include <openssl/err.h>
13 #include <openssl/rand.h>
17 * Support framework for NIST SP 800-90A DRBG, AES-CTR mode.
21 * Get entropy from the existing callback. This is mainly used for KATs.
23 static size_t get_entropy(DRBG_CTX *dctx, unsigned char **pout,
24 int entropy, size_t min_len, size_t max_len)
26 if (dctx->get_entropy != NULL)
27 return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
28 /* TODO: Get from parent if it exists. */
35 static void cleanup_entropy(DRBG_CTX *dctx, unsigned char *out, size_t olen)
37 if (dctx->cleanup_entropy != NULL)
38 dctx->cleanup_entropy(dctx, out, olen);
42 * The OpenSSL model is to have new and free functions, and that new
43 * does all initialization. That is not the NIST model, which has
44 * instantiation and un-instantiate, and re-use within a new/free
45 * lifecycle. (No doubt this comes from the desire to support hardware
46 * DRBG, where allocation of resources on something like an HSM is
47 * a much bigger deal than just re-setting an allocated resource.)
49 * The DRBG_CTX is OpenSSL's opaque pointer to an instance of the
54 * Set/initialize |dctx| to be of type |nid|, with optional |flags|.
55 * Return -2 if the type is not supported, 1 on success and -1 on
58 int RAND_DRBG_set(DRBG_CTX *dctx, int nid, unsigned int flags)
62 dctx->status = DRBG_STATUS_UNINITIALISED;
68 RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
71 /* Uninitialized; that's okay. */
81 RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG);
86 * Allocate memory and initialize a new DRBG. The |parent|, if not
87 * NULL, will be used to auto-seed this DRBG_CTX as needed.
89 DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent)
91 DRBG_CTX *dctx = OPENSSL_zalloc(sizeof(*dctx));
94 RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE);
98 dctx->parent = parent;
99 if (RAND_DRBG_set(dctx, type, flags) < 0) {
107 * Uninstantiate |dctx| and free all memory.
109 void RAND_DRBG_free(DRBG_CTX *dctx)
114 ctr_uninstantiate(dctx);
115 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, dctx, &dctx->ex_data);
117 /* Don't free up default DRBG */
118 if (dctx == RAND_DRBG_get_default()) {
119 memset(dctx, 0, sizeof(DRBG_CTX));
121 dctx->status = DRBG_STATUS_UNINITIALISED;
123 OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr));
129 * Instantiate |dctx|, after it has been initialized. Use |pers| and
130 * |perslen| as prediction-resistance input.
132 int RAND_DRBG_instantiate(DRBG_CTX *dctx,
133 const unsigned char *pers, size_t perslen)
135 size_t entlen = 0, noncelen = 0;
136 unsigned char *nonce = NULL, *entropy = NULL;
139 if (perslen > dctx->max_pers) {
140 r = RAND_R_PERSONALISATION_STRING_TOO_LONG;
143 if (dctx->status != DRBG_STATUS_UNINITIALISED) {
144 r = dctx->status == DRBG_STATUS_ERROR ? RAND_R_IN_ERROR_STATE
145 : RAND_R_ALREADY_INSTANTIATED;
149 dctx->status = DRBG_STATUS_ERROR;
150 entlen = get_entropy(dctx, &entropy, dctx->strength,
151 dctx->min_entropy, dctx->max_entropy);
152 if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
153 r = RAND_R_ERROR_RETRIEVING_ENTROPY;
157 if (dctx->max_nonce > 0 && dctx->get_nonce != NULL) {
158 noncelen = dctx->get_nonce(dctx, &nonce,
160 dctx->min_nonce, dctx->max_nonce);
162 if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
163 r = RAND_R_ERROR_RETRIEVING_NONCE;
168 if (!ctr_instantiate(dctx, entropy, entlen,
169 nonce, noncelen, pers, perslen)) {
170 r = RAND_R_ERROR_INSTANTIATING_DRBG;
174 dctx->status = DRBG_STATUS_READY;
175 dctx->reseed_counter = 1;
178 if (entropy != NULL && dctx->cleanup_entropy != NULL)
179 dctx->cleanup_entropy(dctx, entropy, entlen);
180 if (nonce != NULL && dctx->cleanup_nonce!= NULL )
181 dctx->cleanup_nonce(dctx, nonce, noncelen);
182 if (dctx->status == DRBG_STATUS_READY)
186 RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, r);
191 * Uninstantiate |dctx|. Must be instantiated before it can be used.
193 int RAND_DRBG_uninstantiate(DRBG_CTX *dctx)
195 int ret = ctr_uninstantiate(dctx);
197 OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr));
198 dctx->status = DRBG_STATUS_UNINITIALISED;
203 * Mix in the specified data to reseed |dctx|.
205 int RAND_DRBG_reseed(DRBG_CTX *dctx,
206 const unsigned char *adin, size_t adinlen)
208 unsigned char *entropy = NULL;
212 if (dctx->status != DRBG_STATUS_READY
213 && dctx->status != DRBG_STATUS_RESEED) {
214 if (dctx->status == DRBG_STATUS_ERROR)
215 r = RAND_R_IN_ERROR_STATE;
216 else if (dctx->status == DRBG_STATUS_UNINITIALISED)
217 r = RAND_R_NOT_INSTANTIATED;
223 else if (adinlen > dctx->max_adin) {
224 r = RAND_R_ADDITIONAL_INPUT_TOO_LONG;
228 dctx->status = DRBG_STATUS_ERROR;
229 entlen = get_entropy(dctx, &entropy, dctx->strength,
230 dctx->min_entropy, dctx->max_entropy);
232 if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
233 r = RAND_R_ERROR_RETRIEVING_ENTROPY;
237 if (!ctr_reseed(dctx, entropy, entlen, adin, adinlen))
239 dctx->status = DRBG_STATUS_READY;
240 dctx->reseed_counter = 1;
243 if (entropy != NULL && dctx->cleanup_entropy != NULL)
244 cleanup_entropy(dctx, entropy, entlen);
245 if (dctx->status == DRBG_STATUS_READY)
248 RANDerr(RAND_F_RAND_DRBG_RESEED, r);
254 * Generate |outlen| bytes into the buffer at |out|. Reseed if we need
255 * to or if |prediction_resistance| is set. Additional input can be
256 * sent in |adin| and |adinlen|.
258 int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
259 int prediction_resistance,
260 const unsigned char *adin, size_t adinlen)
264 if (dctx->status != DRBG_STATUS_READY
265 && dctx->status != DRBG_STATUS_RESEED) {
266 if (dctx->status == DRBG_STATUS_ERROR)
267 r = RAND_R_IN_ERROR_STATE;
268 else if(dctx->status == DRBG_STATUS_UNINITIALISED)
269 r = RAND_R_NOT_INSTANTIATED;
273 if (outlen > dctx->max_request) {
274 r = RAND_R_REQUEST_TOO_LARGE_FOR_DRBG;
277 if (adinlen > dctx->max_adin) {
278 r = RAND_R_ADDITIONAL_INPUT_TOO_LONG;
282 if (dctx->reseed_counter >= dctx->reseed_interval)
283 dctx->status = DRBG_STATUS_RESEED;
285 if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
286 if (!RAND_DRBG_reseed(dctx, adin, adinlen)) {
287 r = RAND_R_RESEED_ERROR;
294 if (!ctr_generate(dctx, out, outlen, adin, adinlen)) {
295 r = RAND_R_GENERATE_ERROR;
296 dctx->status = DRBG_STATUS_ERROR;
299 if (dctx->reseed_counter >= dctx->reseed_interval)
300 dctx->status = DRBG_STATUS_RESEED;
302 dctx->reseed_counter++;
306 RANDerr(RAND_F_RAND_DRBG_GENERATE, r);
311 * Set the callbacks for entropy and nonce. Used mainly for the KATs
313 int RAND_DRBG_set_callbacks(DRBG_CTX *dctx,
314 size_t (*cb_get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
315 int entropy, size_t min_len, size_t max_len),
316 void (*cb_cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
317 size_t (*cb_get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
318 int entropy, size_t min_len, size_t max_len),
319 void (*cb_cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
321 if (dctx->status != DRBG_STATUS_UNINITIALISED)
323 dctx->get_entropy = cb_get_entropy;
324 dctx->cleanup_entropy = cb_cleanup_entropy;
325 dctx->get_nonce = cb_get_nonce;
326 dctx->cleanup_nonce = cb_cleanup_nonce;
331 * Set the reseed interval. Used mainly for the KATs.
333 int RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval)
335 if (interval < 0 || interval > MAX_RESEED)
337 dctx->reseed_interval = interval;
342 * Get and set the EXDATA
344 int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg)
346 return CRYPTO_set_ex_data(&dctx->ex_data, idx, arg);
349 void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx)
351 return CRYPTO_get_ex_data(&dctx->ex_data, idx);