fips rand: DRBG KAT self test updates to provider model.
[openssl.git] / crypto / rand / drbg_lib.c
1 /*
2  * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 /*
11  * RAND_DRBG_set is deprecated for public use, but still ok for
12  * internal use.
13  */
14 #include "internal/deprecated.h"
15
16 #include <string.h>
17 #include <openssl/crypto.h>
18 #include <openssl/err.h>
19 #include <openssl/rand.h>
20 #include <openssl/core_names.h>
21 #include "rand_local.h"
22 #include "internal/thread_once.h"
23 #include "crypto/rand.h"
24 #include "crypto/cryptlib.h"
25
26 /*
27  * Support framework for NIST SP 800-90A DRBG
28  *
29  * See manual page RAND_DRBG(7) for a general overview.
30  *
31  * The OpenSSL model is to have new and free functions, and that new
32  * does all initialization.  That is not the NIST model, which has
33  * instantiation and un-instantiate, and re-use within a new/free
34  * lifecycle.  (No doubt this comes from the desire to support hardware
35  * DRBG, where allocation of resources on something like an HSM is
36  * a much bigger deal than just re-setting an allocated resource.)
37  */
38
39
40 typedef struct drbg_global_st {
41     /*
42      * The three shared DRBG instances
43      *
44      * There are three shared DRBG instances: <master>, <public>, and <private>.
45      */
46     CRYPTO_RWLOCK *lock;
47
48     /*
49      * The <master> DRBG
50      *
51      * Not used directly by the application, only for reseeding the two other
52      * DRBGs. It reseeds itself by pulling either randomness from os entropy
53      * sources or by consuming randomness which was added by RAND_add().
54      *
55      * The <master> DRBG is a global instance which is accessed concurrently by
56      * all threads. The necessary locking is managed automatically by its child
57      * DRBG instances during reseeding.
58      */
59     RAND_DRBG *master_drbg;
60     /*
61      * The <public> DRBG
62      *
63      * Used by default for generating random bytes using RAND_bytes().
64      *
65      * The <public> DRBG is thread-local, i.e., there is one instance per
66      * thread.
67      */
68     CRYPTO_THREAD_LOCAL public_drbg;
69     /*
70      * The <private> DRBG
71      *
72      * Used by default for generating private keys using RAND_priv_bytes()
73      *
74      * The <private> DRBG is thread-local, i.e., there is one instance per
75      * thread.
76      */
77     CRYPTO_THREAD_LOCAL private_drbg;
78 } DRBG_GLOBAL;
79
80 #define RAND_DRBG_TYPE_FLAGS    ( \
81     RAND_DRBG_FLAG_MASTER | RAND_DRBG_FLAG_PUBLIC | RAND_DRBG_FLAG_PRIVATE )
82
83 #define RAND_DRBG_TYPE_MASTER                     0
84 #define RAND_DRBG_TYPE_PUBLIC                     1
85 #define RAND_DRBG_TYPE_PRIVATE                    2
86
87 /* Defaults */
88 static int rand_drbg_type[3] = {
89     RAND_DRBG_TYPE, /* Master */
90     RAND_DRBG_TYPE, /* Public */
91     RAND_DRBG_TYPE  /* Private */
92 };
93 static unsigned int rand_drbg_flags[3] = {
94     RAND_DRBG_FLAGS | RAND_DRBG_FLAG_MASTER, /* Master */
95     RAND_DRBG_FLAGS | RAND_DRBG_FLAG_PUBLIC, /* Public */
96     RAND_DRBG_FLAGS | RAND_DRBG_FLAG_PRIVATE /* Private */
97 };
98
99 static unsigned int master_reseed_interval = MASTER_RESEED_INTERVAL;
100 static unsigned int slave_reseed_interval  = SLAVE_RESEED_INTERVAL;
101
102 static time_t master_reseed_time_interval = MASTER_RESEED_TIME_INTERVAL;
103 static time_t slave_reseed_time_interval  = SLAVE_RESEED_TIME_INTERVAL;
104
105 /* A logical OR of all used DRBG flag bits (currently there is only one) */
106 static const unsigned int rand_drbg_used_flags =
107     RAND_DRBG_FLAG_CTR_NO_DF | RAND_DRBG_FLAG_HMAC | RAND_DRBG_TYPE_FLAGS;
108
109
110 static RAND_DRBG *drbg_setup(OPENSSL_CTX *ctx, RAND_DRBG *parent, int drbg_type);
111
112 static int get_drbg_params(int type, unsigned int flags, const char **name,
113                            OSSL_PARAM params[3])
114 {
115     OSSL_PARAM *p = params;
116
117     switch (type) {
118     case 0:
119         return 1;
120     default:
121         return 0;
122
123 #define CTR(v)                                                              \
124     *name = "CTR-DRBG";                                                     \
125     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_CIPHER, v, 0)
126
127     case NID_aes_128_ctr:
128         CTR(SN_aes_128_ctr);
129         break;
130     case NID_aes_192_ctr:
131         CTR(SN_aes_192_ctr);
132         break;
133     case NID_aes_256_ctr:
134         CTR(SN_aes_256_ctr);
135         break;
136
137 #define DGST(v)                                                             \
138     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_DIGEST, v, 0);  \
139     if ((flags & RAND_DRBG_FLAG_HMAC) == 0) {                               \
140         *name = "HASH-DRBG";                                                \
141     } else {                                                                \
142         *name = "HMAC-DRBG";                                                \
143         *p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_MAC,        \
144                                                 SN_hmac, 0);                \
145     }
146
147     case NID_sha1:
148         DGST(SN_sha1);
149         break;
150     case NID_sha224:
151         DGST(SN_sha224);
152         break;
153     case NID_sha256:
154         DGST(SN_sha256);
155         break;
156     case NID_sha384:
157         DGST(SN_sha384);
158         break;
159     case NID_sha512:
160         DGST(SN_sha512);
161         break;
162     case NID_sha512_224:
163         DGST(SN_sha512_224);
164         break;
165     case NID_sha512_256:
166         DGST(SN_sha512_256);
167         break;
168     case NID_sha3_224:
169         DGST(SN_sha3_224);
170         break;
171     case NID_sha3_256:
172         DGST(SN_sha3_256);
173         break;
174     case NID_sha3_384:
175         DGST(SN_sha3_384);
176         break;
177     case NID_sha3_512:
178         DGST(SN_sha3_512);
179     }
180     *p = OSSL_PARAM_construct_end();
181     return 1;
182 }
183
184 /*
185  * Initialize the OPENSSL_CTX global DRBGs on first use.
186  * Returns the allocated global data on success or NULL on failure.
187  */
188 static void *drbg_ossl_ctx_new(OPENSSL_CTX *libctx)
189 {
190     DRBG_GLOBAL *dgbl = OPENSSL_zalloc(sizeof(*dgbl));
191
192     if (dgbl == NULL)
193         return NULL;
194
195 #ifndef FIPS_MODULE
196     /*
197      * We need to ensure that base libcrypto thread handling has been
198      * initialised.
199      */
200      OPENSSL_init_crypto(0, NULL);
201 #endif
202
203     dgbl->lock = CRYPTO_THREAD_lock_new();
204     if (dgbl->lock == NULL)
205         goto err0;
206
207     if (!CRYPTO_THREAD_init_local(&dgbl->private_drbg, NULL))
208         goto err1;
209
210     if (!CRYPTO_THREAD_init_local(&dgbl->public_drbg, NULL))
211         goto err2;
212
213     return dgbl;
214
215  err2:
216     CRYPTO_THREAD_cleanup_local(&dgbl->private_drbg);
217  err1:
218     CRYPTO_THREAD_lock_free(dgbl->lock);
219  err0:
220     OPENSSL_free(dgbl);
221     return NULL;
222 }
223
224 static void drbg_ossl_ctx_free(void *vdgbl)
225 {
226     DRBG_GLOBAL *dgbl = vdgbl;
227
228     if (dgbl == NULL)
229         return;
230
231     CRYPTO_THREAD_lock_free(dgbl->lock);
232     RAND_DRBG_free(dgbl->master_drbg);
233     CRYPTO_THREAD_cleanup_local(&dgbl->private_drbg);
234     CRYPTO_THREAD_cleanup_local(&dgbl->public_drbg);
235
236     OPENSSL_free(dgbl);
237 }
238
239 static const OPENSSL_CTX_METHOD drbg_ossl_ctx_method = {
240     drbg_ossl_ctx_new,
241     drbg_ossl_ctx_free,
242 };
243
244 static DRBG_GLOBAL *drbg_get_global(OPENSSL_CTX *libctx)
245 {
246     return openssl_ctx_get_data(libctx, OPENSSL_CTX_DRBG_INDEX,
247                                 &drbg_ossl_ctx_method);
248 }
249
250 /*
251  * Set the |drbg|'s callback data pointer for the entropy and nonce callbacks
252  *
253  * The ownership of the context data remains with the caller,
254  * i.e., it is the caller's responsibility to keep it available as long
255  * as it is need by the callbacks and free it after use.
256  *
257  * Setting the callback data is allowed only if the drbg has not been
258  * initialized yet. Otherwise, the operation will fail.
259  *
260  * Returns 1 on success, 0 on failure.
261  */
262 int RAND_DRBG_set_callback_data(RAND_DRBG *drbg, void *data)
263 {
264     if (EVP_RAND_state(drbg->rand) != EVP_RAND_STATE_UNINITIALISED
265             || drbg->parent != NULL)
266         return 0;
267
268     drbg->callback_data = data;
269     return 1;
270 }
271
272 /* Retrieve the callback data pointer */
273 void *RAND_DRBG_get_callback_data(RAND_DRBG *drbg)
274 {
275     return drbg->callback_data;
276 }
277
278 /*
279  * Set/initialize |drbg| to be of type |type|, with optional |flags|.
280  *
281  * If |type| and |flags| are zero, use the defaults
282  *
283  * Returns 1 on success, 0 on failure.
284  */
285 int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
286 {
287     OSSL_PARAM params[6], *p = params;
288     unsigned int reseed_interval;
289     time_t reseed_time_interval;
290     const char *name = NULL;
291     EVP_RAND *rand;
292     EVP_RAND_CTX *pctx;
293     int use_df;
294
295     if (type == 0 && flags == 0) {
296         type = rand_drbg_type[RAND_DRBG_TYPE_MASTER];
297         flags = rand_drbg_flags[RAND_DRBG_TYPE_MASTER];
298     }
299
300     if (drbg->parent == NULL) {
301         reseed_interval = master_reseed_interval;
302         reseed_time_interval = master_reseed_time_interval;
303     } else {
304         reseed_interval = slave_reseed_interval;
305         reseed_time_interval = slave_reseed_time_interval;
306     }
307     *p++ = OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS,
308                                      &reseed_interval);
309     *p++ = OSSL_PARAM_construct_time_t(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL,
310                                        &reseed_time_interval);
311     use_df = (flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0;
312     *p++ = OSSL_PARAM_construct_int(OSSL_DRBG_PARAM_USE_DF, &use_df);
313
314     if (!get_drbg_params(type, flags, &name, p)) {
315         RANDerr(0, RAND_R_UNSUPPORTED_DRBG_TYPE);
316         return 0;
317     }
318
319     rand = EVP_RAND_fetch(drbg->libctx, name, NULL);
320     if (rand == NULL) {
321         RANDerr(0, RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
322         return 0;
323     }
324
325     EVP_RAND_CTX_free(drbg->rand);
326     drbg->rand = NULL;
327
328     drbg->flags = flags;
329     drbg->type = type;
330
331     pctx = drbg->parent != NULL ? drbg->parent->rand : NULL;
332     drbg->rand = EVP_RAND_CTX_new(rand, pctx);
333     EVP_RAND_free(rand);
334     if (drbg->rand == NULL) {
335         RANDerr(0, RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
336         goto err;
337     }
338
339     if (!EVP_RAND_set_ctx_params(drbg->rand, params)) {
340         RANDerr(0, RAND_R_ERROR_INITIALISING_DRBG);
341         goto err;
342     }
343     return 1;
344 err:
345     EVP_RAND_CTX_free(drbg->rand);
346     drbg->rand = NULL;
347     drbg->type = 0;
348     drbg->flags = 0;
349     return 0;
350 }
351
352 /*
353  * Set/initialize default |type| and |flag| for new drbg instances.
354  *
355  * Returns 1 on success, 0 on failure.
356  */
357 int RAND_DRBG_set_defaults(int type, unsigned int flags)
358 {
359     int all;
360     const char *name;
361     OSSL_PARAM params[3];
362
363     if (!get_drbg_params(type, flags, &name, params)) {
364         RANDerr(RAND_F_RAND_DRBG_SET_DEFAULTS, RAND_R_UNSUPPORTED_DRBG_TYPE);
365         return 0;
366     }
367
368     if ((flags & ~rand_drbg_used_flags) != 0) {
369         RANDerr(RAND_F_RAND_DRBG_SET_DEFAULTS, RAND_R_UNSUPPORTED_DRBG_FLAGS);
370         return 0;
371     }
372
373     all = ((flags & RAND_DRBG_TYPE_FLAGS) == 0);
374     if (all || (flags & RAND_DRBG_FLAG_MASTER) != 0) {
375         rand_drbg_type[RAND_DRBG_TYPE_MASTER] = type;
376         rand_drbg_flags[RAND_DRBG_TYPE_MASTER] = flags | RAND_DRBG_FLAG_MASTER;
377     }
378     if (all || (flags & RAND_DRBG_FLAG_PUBLIC) != 0) {
379         rand_drbg_type[RAND_DRBG_TYPE_PUBLIC]  = type;
380         rand_drbg_flags[RAND_DRBG_TYPE_PUBLIC] = flags | RAND_DRBG_FLAG_PUBLIC;
381     }
382     if (all || (flags & RAND_DRBG_FLAG_PRIVATE) != 0) {
383         rand_drbg_type[RAND_DRBG_TYPE_PRIVATE] = type;
384         rand_drbg_flags[RAND_DRBG_TYPE_PRIVATE] = flags | RAND_DRBG_FLAG_PRIVATE;
385     }
386     return 1;
387 }
388
389
390 /*
391  * Allocate memory and initialize a new DRBG.
392  * The |parent|, if not NULL, will be used as random source for reseeding.
393  *
394  * Returns a pointer to the new DRBG instance on success, NULL on failure.
395  */
396 static RAND_DRBG *rand_drbg_new(OPENSSL_CTX *ctx,
397                                 int type,
398                                 unsigned int flags,
399                                 RAND_DRBG *parent)
400 {
401     RAND_DRBG *drbg = OPENSSL_zalloc(sizeof(*drbg));
402
403     if (drbg == NULL) {
404         RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE);
405         return NULL;
406     }
407
408     drbg->libctx = ctx;
409     drbg->parent = parent;
410
411     if (RAND_DRBG_set(drbg, type, flags) == 0)
412         goto err;
413
414     return drbg;
415
416  err:
417     RAND_DRBG_free(drbg);
418
419     return NULL;
420 }
421
422 RAND_DRBG *RAND_DRBG_new_ex(OPENSSL_CTX *ctx, int type, unsigned int flags,
423                             RAND_DRBG *parent)
424 {
425     return rand_drbg_new(ctx, type, flags, parent);
426 }
427
428 RAND_DRBG *RAND_DRBG_new(int type, unsigned int flags, RAND_DRBG *parent)
429 {
430     return RAND_DRBG_new_ex(NULL, type, flags, parent);
431 }
432
433 /*
434  * Uninstantiate |drbg| and free all memory.
435  */
436 void RAND_DRBG_free(RAND_DRBG *drbg)
437 {
438     if (drbg == NULL)
439         return;
440
441     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RAND_DRBG, drbg, &drbg->ex_data);
442     EVP_RAND_CTX_free(drbg->rand);
443     OPENSSL_free(drbg);
444 }
445
446 /*
447  * Instantiate |drbg|, after it has been initialized.  Use |pers| and
448  * |perslen| as prediction-resistance input.
449  *
450  * Requires that drbg->lock is already locked for write, if non-null.
451  *
452  * Returns 1 on success, 0 on failure.
453  */
454 int RAND_DRBG_instantiate(RAND_DRBG *drbg,
455                           const unsigned char *pers, size_t perslen)
456 {
457     return EVP_RAND_instantiate(drbg->rand, EVP_RAND_strength(drbg->rand), 0,
458                                 pers, perslen);
459 }
460
461 /*
462  * Uninstantiate |drbg|. Must be instantiated before it can be used.
463  *
464  * Requires that drbg->lock is already locked for write, if non-null.
465  *
466  * Returns 1 on success, 0 on failure.
467  */
468 int RAND_DRBG_uninstantiate(RAND_DRBG *drbg)
469 {
470     int index = -1, type, flags;
471
472     if (!EVP_RAND_uninstantiate(drbg->rand))
473         return 0;
474
475     /* The reset uses the default values for type and flags */
476     if (drbg->flags & RAND_DRBG_FLAG_MASTER)
477         index = RAND_DRBG_TYPE_MASTER;
478     else if (drbg->flags & RAND_DRBG_FLAG_PRIVATE)
479         index = RAND_DRBG_TYPE_PRIVATE;
480     else if (drbg->flags & RAND_DRBG_FLAG_PUBLIC)
481         index = RAND_DRBG_TYPE_PUBLIC;
482
483     if (index != -1) {
484         flags = rand_drbg_flags[index];
485         type = rand_drbg_type[index];
486     } else {
487         flags = drbg->flags;
488         type = drbg->type;
489     }
490     return RAND_DRBG_set(drbg, type, flags);
491 }
492
493 /*
494  * Reseed |drbg|, mixing in the specified data
495  *
496  * Requires that drbg->lock is already locked for write, if non-null.
497  *
498  * Returns 1 on success, 0 on failure.
499  */
500 int RAND_DRBG_reseed(RAND_DRBG *drbg,
501                      const unsigned char *adin, size_t adinlen,
502                      int prediction_resistance)
503 {
504     return EVP_RAND_reseed(drbg->rand, prediction_resistance, NULL, 0,
505                            adin, adinlen);
506 }
507
508 /*
509  * Generate |outlen| bytes into the buffer at |out|.  Reseed if we need
510  * to or if |prediction_resistance| is set.  Additional input can be
511  * sent in |adin| and |adinlen|.
512  *
513  * Requires that drbg->lock is already locked for write, if non-null.
514  *
515  * Returns 1 on success, 0 on failure.
516  *
517  */
518 int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
519                        int prediction_resistance,
520                        const unsigned char *adin, size_t adinlen)
521 {
522     return EVP_RAND_generate(drbg->rand, out, outlen, 0,
523                              prediction_resistance, adin, adinlen);
524 }
525
526 /*
527  * Generates |outlen| random bytes and stores them in |out|. It will
528  * using the given |drbg| to generate the bytes.
529  *
530  * Requires that drbg->lock is already locked for write, if non-null.
531  *
532  * Returns 1 on success 0 on failure.
533  */
534 int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
535 {
536     return EVP_RAND_generate(drbg->rand, out, outlen, 0, 0, NULL, 0);
537 }
538
539 /* DRBG call back shims */
540 static int rand_drbg_get_entroy_cb(const OSSL_PARAM *params, OSSL_PARAM *out,
541                                    void *vdrbg)
542 {
543     RAND_DRBG *drbg = (RAND_DRBG *)vdrbg;
544     int entropy = 0, prediction_resistance = 0;
545     size_t min_len = 0, max_len = 2048;
546     const OSSL_PARAM *p;
547     OSSL_PARAM *q;
548
549     if (drbg->get_entropy == NULL)
550         return 0;
551
552     p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_ENTROPY_REQUIRED);
553     if (p == NULL || !OSSL_PARAM_get_int(p, &entropy))
554         return 0;
555
556     p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_PREDICTION_RESISTANCE);
557     if (p == NULL || !OSSL_PARAM_get_int(p, &prediction_resistance))
558         return 0;
559
560     p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_MAX_LENGTH);
561     if (p == NULL || !OSSL_PARAM_get_size_t(p, &max_len))
562         return 0;
563
564     p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_MIN_LENGTH);
565     if (p == NULL || !OSSL_PARAM_get_size_t(p, &min_len))
566         return 0;
567
568     q = OSSL_PARAM_locate(out, OSSL_DRBG_PARAM_RANDOM_DATA);
569     if (q == NULL || q->data_type != OSSL_PARAM_OCTET_PTR || q->data == NULL)
570         return 0;
571
572     q->return_size = drbg->get_entropy(drbg, (unsigned char **)q->data, entropy,
573                                        min_len, max_len, prediction_resistance);
574     return 1;
575 }
576
577 static int rand_drbg_cleanup_entropy_cb(const OSSL_PARAM *params, void *vdrbg)
578 {
579     RAND_DRBG *drbg = (RAND_DRBG *)vdrbg;
580     const OSSL_PARAM *p;
581     size_t sz;
582
583     if (drbg->cleanup_entropy == NULL)
584         return 0;
585
586     p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_SIZE);
587     if (p == NULL || !OSSL_PARAM_get_size_t(p, &sz))
588         return 0;
589
590     p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RANDOM_DATA);
591     if (p == NULL || p->data_type != OSSL_PARAM_OCTET_PTR)
592         return 0;
593
594     drbg->cleanup_entropy(drbg, p->data, sz);
595     return 1;
596 }
597
598 static int rand_drbg_get_nonce_cb(const OSSL_PARAM *params, OSSL_PARAM *out,
599                                   void *vdrbg)
600 {
601     RAND_DRBG *drbg = (RAND_DRBG *)vdrbg;
602     int entropy = 0;
603     size_t min_len = 0, max_len = 10240;
604     const OSSL_PARAM *p;
605     OSSL_PARAM *q;
606
607     if (drbg->get_nonce == NULL)
608         return 0;
609
610     p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_ENTROPY_REQUIRED);
611     if (p == NULL || !OSSL_PARAM_get_int(p, &entropy))
612         return 0;
613
614     p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_MAX_LENGTH);
615     if (p == NULL || !OSSL_PARAM_get_size_t(p, &max_len))
616         return 0;
617
618     p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_MIN_LENGTH);
619     if (p == NULL || !OSSL_PARAM_get_size_t(p, &min_len))
620         return 0;
621
622     q = OSSL_PARAM_locate(out, OSSL_DRBG_PARAM_RANDOM_DATA);
623     if (q == NULL || q->data_type != OSSL_PARAM_OCTET_PTR || q->data == NULL)
624         return 0;
625
626     q->return_size = drbg->get_nonce(drbg, (unsigned char **)q->data, entropy,
627                                      min_len, max_len);
628     return 1;
629 }
630
631 static int rand_drbg_cleanup_nonce_cb(const OSSL_PARAM *params, void *vdrbg)
632 {
633     RAND_DRBG *drbg = (RAND_DRBG *)vdrbg;
634     const OSSL_PARAM *p;
635     size_t sz;
636
637     if (drbg->cleanup_nonce == NULL)
638         return 0;
639
640     p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_SIZE);
641     if (p == NULL || !OSSL_PARAM_get_size_t(p, &sz))
642         return 0;
643
644     p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RANDOM_DATA);
645     if (p == NULL || p->data_type != OSSL_PARAM_OCTET_PTR)
646         return 0;
647
648     drbg->cleanup_nonce(drbg, p->data, sz);
649     return 1;
650 }
651
652 /*
653  * Set the RAND_DRBG callbacks for obtaining entropy and nonce.
654  *
655  * Setting the callbacks is allowed only if the drbg has not been
656  * initialized yet. Otherwise, the operation will fail.
657  *
658  * Returns 1 on success, 0 on failure.
659  */
660 int RAND_DRBG_set_callbacks(RAND_DRBG *drbg,
661                             RAND_DRBG_get_entropy_fn get_entropy,
662                             RAND_DRBG_cleanup_entropy_fn cleanup_entropy,
663                             RAND_DRBG_get_nonce_fn get_nonce,
664                             RAND_DRBG_cleanup_nonce_fn cleanup_nonce)
665 {
666     EVP_RAND_CTX *rand = drbg->rand;
667     OSSL_INOUT_CALLBACK *g_ent = NULL, *g_nonce = NULL;
668     OSSL_CALLBACK *c_ent = NULL, *c_nonce = NULL;
669
670     if (get_entropy != NULL) {
671         g_ent = &rand_drbg_get_entroy_cb;
672         c_ent = &rand_drbg_cleanup_entropy_cb;
673     }
674     if (get_nonce != NULL) {
675         g_nonce = rand_drbg_get_nonce_cb;
676         c_nonce = rand_drbg_cleanup_nonce_cb;
677     }
678     if (!EVP_RAND_set_callbacks(rand, g_ent, c_ent, g_nonce, c_nonce, drbg))
679         return 0;
680
681     drbg->get_entropy = g_ent != NULL ? get_entropy : NULL;
682     drbg->cleanup_entropy = c_ent != NULL ? cleanup_entropy : NULL;
683     drbg->get_nonce = g_nonce != NULL ? get_nonce : NULL;
684     drbg->cleanup_nonce = c_nonce != NULL ? cleanup_nonce : NULL;
685     return 1;
686 }
687
688 /*
689  * Set the reseed interval.
690  *
691  * The drbg will reseed automatically whenever the number of generate
692  * requests exceeds the given reseed interval. If the reseed interval
693  * is 0, then this feature is disabled.
694  *
695  * Returns 1 on success, 0 on failure.
696  */
697 int RAND_DRBG_set_reseed_interval(RAND_DRBG *drbg, unsigned int interval)
698 {
699     OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
700
701     if (interval > MAX_RESEED_INTERVAL)
702         return 0;
703     params[0] = OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS,
704                                           &interval);
705     return EVP_RAND_set_ctx_params(drbg->rand, params);
706 }
707
708 /*
709  * Set the reseed time interval.
710  *
711  * The drbg will reseed automatically whenever the time elapsed since
712  * the last reseeding exceeds the given reseed time interval. For safety,
713  * a reseeding will also occur if the clock has been reset to a smaller
714  * value.
715  *
716  * Returns 1 on success, 0 on failure.
717  */
718 int RAND_DRBG_set_reseed_time_interval(RAND_DRBG *drbg, time_t interval)
719 {
720     OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
721
722     if (interval > MAX_RESEED_TIME_INTERVAL)
723         return 0;
724     params[0] =
725         OSSL_PARAM_construct_time_t(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL,
726                                     &interval);
727     return EVP_RAND_set_ctx_params(drbg->rand, params);
728 }
729
730 /*
731  * Set the default values for reseed (time) intervals of new DRBG instances
732  *
733  * The default values can be set independently for master DRBG instances
734  * (without a parent) and slave DRBG instances (with parent).
735  *
736  * Returns 1 on success, 0 on failure.
737  */
738
739 int RAND_DRBG_set_reseed_defaults(
740                                   unsigned int _master_reseed_interval,
741                                   unsigned int _slave_reseed_interval,
742                                   time_t _master_reseed_time_interval,
743                                   time_t _slave_reseed_time_interval
744                                   )
745 {
746     if (_master_reseed_interval > MAX_RESEED_INTERVAL
747         || _slave_reseed_interval > MAX_RESEED_INTERVAL)
748         return 0;
749
750     if (_master_reseed_time_interval > MAX_RESEED_TIME_INTERVAL
751         || _slave_reseed_time_interval > MAX_RESEED_TIME_INTERVAL)
752         return 0;
753
754     master_reseed_interval = _master_reseed_interval;
755     slave_reseed_interval = _slave_reseed_interval;
756
757     master_reseed_time_interval = _master_reseed_time_interval;
758     slave_reseed_time_interval = _slave_reseed_time_interval;
759
760     return 1;
761 }
762
763 /*
764  * Get and set the EXDATA
765  */
766 int RAND_DRBG_set_ex_data(RAND_DRBG *drbg, int idx, void *arg)
767 {
768     return CRYPTO_set_ex_data(&drbg->ex_data, idx, arg);
769 }
770
771 void *RAND_DRBG_get_ex_data(const RAND_DRBG *drbg, int idx)
772 {
773     return CRYPTO_get_ex_data(&drbg->ex_data, idx);
774 }
775
776 /*
777  * The following functions provide a RAND_METHOD that works on the
778  * global DRBG.  They lock.
779  */
780
781 /*
782  * Allocates a new global DRBG on the secure heap (if enabled) and
783  * initializes it with default settings.
784  *
785  * Returns a pointer to the new DRBG instance on success, NULL on failure.
786  */
787 static RAND_DRBG *drbg_setup(OPENSSL_CTX *ctx, RAND_DRBG *parent, int drbg_type)
788 {
789     RAND_DRBG *drbg;
790
791     drbg = RAND_DRBG_new_ex(ctx, rand_drbg_type[drbg_type],
792                             rand_drbg_flags[drbg_type], parent);
793     if (drbg == NULL)
794         return NULL;
795
796     /* Only the master DRBG needs to have a lock */
797     if (parent == NULL && EVP_RAND_enable_locking(drbg->rand) == 0)
798         goto err;
799
800     /*
801      * Ignore instantiation error to support just-in-time instantiation.
802      *
803      * The state of the drbg will be checked in RAND_DRBG_generate() and
804      * an automatic recovery is attempted.
805      */
806     (void)RAND_DRBG_instantiate(drbg, NULL, 0);
807     return drbg;
808
809 err:
810     RAND_DRBG_free(drbg);
811     return NULL;
812 }
813
814 static void drbg_delete_thread_state(void *arg)
815 {
816     OPENSSL_CTX *ctx = arg;
817     DRBG_GLOBAL *dgbl = drbg_get_global(ctx);
818     RAND_DRBG *drbg;
819
820     if (dgbl == NULL)
821         return;
822     drbg = CRYPTO_THREAD_get_local(&dgbl->public_drbg);
823     CRYPTO_THREAD_set_local(&dgbl->public_drbg, NULL);
824     RAND_DRBG_free(drbg);
825
826     drbg = CRYPTO_THREAD_get_local(&dgbl->private_drbg);
827     CRYPTO_THREAD_set_local(&dgbl->private_drbg, NULL);
828     RAND_DRBG_free(drbg);
829 }
830
831 /* Implements the default OpenSSL RAND_bytes() method */
832 static int drbg_bytes(unsigned char *out, int count)
833 {
834     int ret;
835     RAND_DRBG *drbg = RAND_DRBG_get0_public();
836
837     if (drbg == NULL)
838         return 0;
839
840     ret = RAND_DRBG_bytes(drbg, out, count);
841
842     return ret;
843 }
844
845 /* Implements the default OpenSSL RAND_add() method */
846 static int drbg_add(const void *buf, int num, double randomness)
847 {
848     RAND_DRBG *drbg = RAND_DRBG_get0_master();
849
850     if (drbg == NULL || num <= 0)
851         return 0;
852
853     return EVP_RAND_reseed(drbg->rand, 0, NULL, 0, buf, num);
854 }
855
856 /* Implements the default OpenSSL RAND_seed() method */
857 static int drbg_seed(const void *buf, int num)
858 {
859     return drbg_add(buf, num, num);
860 }
861
862 /* Implements the default OpenSSL RAND_status() method */
863 static int drbg_status(void)
864 {
865     int ret;
866     RAND_DRBG *drbg = RAND_DRBG_get0_master();
867
868     if (drbg == NULL)
869         return 0;
870
871     ret = EVP_RAND_state(drbg->rand) == EVP_RAND_STATE_READY ? 1 : 0;
872     return ret;
873 }
874
875 int RAND_DRBG_verify_zeroization(RAND_DRBG *drbg)
876 {
877     return EVP_RAND_verify_zeroization(drbg->rand);
878 }
879
880 /*
881  * Get the master DRBG.
882  * Returns pointer to the DRBG on success, NULL on failure.
883  *
884  */
885 RAND_DRBG *OPENSSL_CTX_get0_master_drbg(OPENSSL_CTX *ctx)
886 {
887     DRBG_GLOBAL *dgbl = drbg_get_global(ctx);
888
889     if (dgbl == NULL)
890         return NULL;
891
892     if (dgbl->master_drbg == NULL) {
893         if (!CRYPTO_THREAD_write_lock(dgbl->lock))
894             return NULL;
895         if (dgbl->master_drbg == NULL)
896             dgbl->master_drbg = drbg_setup(ctx, NULL, RAND_DRBG_TYPE_MASTER);
897         CRYPTO_THREAD_unlock(dgbl->lock);
898     }
899     return dgbl->master_drbg;
900 }
901
902 RAND_DRBG *RAND_DRBG_get0_master(void)
903 {
904     return OPENSSL_CTX_get0_master_drbg(NULL);
905 }
906
907 /*
908  * Get the public DRBG.
909  * Returns pointer to the DRBG on success, NULL on failure.
910  */
911 RAND_DRBG *OPENSSL_CTX_get0_public_drbg(OPENSSL_CTX *ctx)
912 {
913     DRBG_GLOBAL *dgbl = drbg_get_global(ctx);
914     RAND_DRBG *drbg, *master;
915
916     if (dgbl == NULL)
917         return NULL;
918
919     drbg = CRYPTO_THREAD_get_local(&dgbl->public_drbg);
920     if (drbg == NULL) {
921         master = OPENSSL_CTX_get0_master_drbg(ctx);
922         if (master == NULL)
923             return NULL;
924
925         ctx = openssl_ctx_get_concrete(ctx);
926         /*
927          * If the private_drbg is also NULL then this is the first time we've
928          * used this thread.
929          */
930         if (CRYPTO_THREAD_get_local(&dgbl->private_drbg) == NULL
931                 && !ossl_init_thread_start(NULL, ctx, drbg_delete_thread_state))
932             return NULL;
933         drbg = drbg_setup(ctx, master, RAND_DRBG_TYPE_PUBLIC);
934         CRYPTO_THREAD_set_local(&dgbl->public_drbg, drbg);
935     }
936     return drbg;
937 }
938
939 RAND_DRBG *RAND_DRBG_get0_public(void)
940 {
941     return OPENSSL_CTX_get0_public_drbg(NULL);
942 }
943
944 /*
945  * Get the private DRBG.
946  * Returns pointer to the DRBG on success, NULL on failure.
947  */
948 RAND_DRBG *OPENSSL_CTX_get0_private_drbg(OPENSSL_CTX *ctx)
949 {
950     DRBG_GLOBAL *dgbl = drbg_get_global(ctx);
951     RAND_DRBG *drbg, *master;
952
953     if (dgbl == NULL)
954         return NULL;
955
956     drbg = CRYPTO_THREAD_get_local(&dgbl->private_drbg);
957     if (drbg == NULL) {
958         master = OPENSSL_CTX_get0_master_drbg(ctx);
959         if (master == NULL)
960             return NULL;
961
962         ctx = openssl_ctx_get_concrete(ctx);
963         /*
964          * If the public_drbg is also NULL then this is the first time we've
965          * used this thread.
966          */
967         if (CRYPTO_THREAD_get_local(&dgbl->public_drbg) == NULL
968                 && !ossl_init_thread_start(NULL, ctx, drbg_delete_thread_state))
969             return NULL;
970         drbg = drbg_setup(ctx, master, RAND_DRBG_TYPE_PRIVATE);
971         CRYPTO_THREAD_set_local(&dgbl->private_drbg, drbg);
972     }
973     return drbg;
974 }
975
976 RAND_DRBG *RAND_DRBG_get0_private(void)
977 {
978     return OPENSSL_CTX_get0_private_drbg(NULL);
979 }
980
981 RAND_METHOD rand_meth = {
982     drbg_seed,
983     drbg_bytes,
984     NULL,
985     drbg_add,
986     drbg_bytes,
987     drbg_status
988 };
989
990 RAND_METHOD *RAND_OpenSSL(void)
991 {
992 #ifndef FIPS_MODULE
993     return &rand_meth;
994 #else
995     return NULL;
996 #endif
997 }