2 * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/crypto.h>
12 #include <openssl/err.h>
13 #include <openssl/rand.h>
14 #include <openssl/evp.h>
15 #include "crypto/rand.h"
16 #include "drbg_local.h"
17 #include "internal/thread_once.h"
18 #include "crypto/cryptlib.h"
19 #include "prov/seeding.h"
20 #include "crypto/rand_pool.h"
21 #include "prov/provider_ctx.h"
22 #include "prov/providercommonerr.h"
23 #include "prov/providercommon.h"
26 * Support framework for NIST SP 800-90A DRBG
28 * See manual page PROV_DRBG(7) for a general overview.
30 * The OpenSSL model is to have new and free functions, and that new
31 * does all initialization. That is not the NIST model, which has
32 * instantiation and un-instantiate, and re-use within a new/free
33 * lifecycle. (No doubt this comes from the desire to support hardware
34 * DRBG, where allocation of resources on something like an HSM is
35 * a much bigger deal than just re-setting an allocated resource.)
38 /* NIST SP 800-90A DRBG recommends the use of a personalization string. */
39 static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
41 static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
44 static int rand_drbg_restart(PROV_DRBG *drbg);
46 int ossl_drbg_lock(void *vctx)
48 PROV_DRBG *drbg = vctx;
50 if (drbg == NULL || drbg->lock == NULL)
52 return CRYPTO_THREAD_write_lock(drbg->lock);
55 void ossl_drbg_unlock(void *vctx)
57 PROV_DRBG *drbg = vctx;
59 if (drbg != NULL && drbg->lock != NULL)
60 CRYPTO_THREAD_unlock(drbg->lock);
63 static int ossl_drbg_lock_parent(PROV_DRBG *drbg)
65 void *parent = drbg->parent;
68 && drbg->parent_lock != NULL
69 && !drbg->parent_lock(parent)) {
70 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
76 static void ossl_drbg_unlock_parent(PROV_DRBG *drbg)
78 void *parent = drbg->parent;
80 if (parent != NULL && drbg->parent_unlock != NULL)
81 drbg->parent_unlock(parent);
84 static int get_parent_strength(PROV_DRBG *drbg, unsigned int *str)
86 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
87 void *parent = drbg->parent;
90 if (drbg->parent_get_ctx_params == NULL) {
91 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);
95 *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, str);
96 if (!ossl_drbg_lock_parent(drbg)) {
97 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);
100 res = drbg->parent_get_ctx_params(parent, params);
101 ossl_drbg_unlock_parent(drbg);
103 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);
109 static unsigned int get_parent_reseed_count(PROV_DRBG *drbg)
111 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
112 void *parent = drbg->parent;
115 *params = OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_COUNTER, &r);
116 if (!ossl_drbg_lock_parent(drbg)) {
117 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);
120 if (!drbg->parent_get_ctx_params(parent, params))
122 ossl_drbg_unlock_parent(drbg);
126 r = tsan_load(&drbg->reseed_counter) - 2;
133 * Implements the get_entropy() callback
135 * If the DRBG has a parent, then the required amount of entropy input
136 * is fetched using the parent's ossl_prov_drbg_generate().
138 * Otherwise, the entropy is polled from the system entropy sources
139 * using ossl_pool_acquire_entropy().
141 * If a random pool has been added to the DRBG using RAND_add(), then
142 * its entropy will be used up first.
144 static size_t prov_drbg_get_entropy(PROV_DRBG *drbg, unsigned char **pout,
145 int entropy, size_t min_len,
146 size_t max_len, int prediction_resistance)
149 size_t r, bytes_needed;
150 unsigned char *buffer;
152 if (!get_parent_strength(drbg, &p_str))
154 if (drbg->strength > p_str) {
156 * We currently don't support the algorithm from NIST SP 800-90C
157 * 10.1.2 to use a weaker DRBG as source
159 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);
163 if (drbg->parent_generate == NULL) {
164 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS);
168 /* Figure out how many bytes we need */
169 bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0;
170 if (bytes_needed < min_len)
171 bytes_needed = min_len;
172 if (bytes_needed > max_len)
173 bytes_needed = max_len;
175 /* Allocate storage */
176 buffer = OPENSSL_secure_malloc(bytes_needed);
177 if (buffer == NULL) {
178 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
183 * Our lock is already held, but we need to lock our parent before
184 * generating bits from it. Note: taking the lock will be a no-op
185 * if locking is not required (while drbg->parent->lock == NULL).
187 ossl_drbg_lock_parent(drbg);
189 * Get random data from parent. Include our DRBG address as
190 * additional input, in order to provide a distinction between
191 * different DRBG child instances.
193 * Note: using the sizeof() operator on a pointer triggers
194 * a warning in some static code analyzers, but it's
195 * intentional and correct here.
197 r = drbg->parent_generate(drbg->parent, buffer, bytes_needed,
198 drbg->strength, prediction_resistance,
199 (unsigned char *)&drbg,
201 ossl_drbg_unlock_parent(drbg);
203 OPENSSL_secure_clear_free(buffer, bytes_needed);
204 ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR);
212 * Implements the cleanup_entropy() callback
215 static void prov_drbg_cleanup_entropy(ossl_unused PROV_DRBG *drbg,
216 unsigned char *out, size_t outlen)
218 OPENSSL_secure_clear_free(out, outlen);
221 static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
222 size_t min_len, size_t max_len,
223 int prediction_resistance)
225 if (drbg->parent == NULL)
227 return ossl_crngt_get_entropy(drbg, pout, entropy, min_len, max_len,
228 prediction_resistance);
230 return ossl_prov_get_entropy(drbg->provctx, pout, entropy, min_len,
234 return prov_drbg_get_entropy(drbg, pout, entropy, min_len, max_len,
235 prediction_resistance);
238 static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen)
240 if (drbg->parent == NULL) {
242 ossl_crngt_cleanup_entropy(drbg, out, outlen);
244 ossl_prov_cleanup_entropy(drbg->provctx, out, outlen);
247 prov_drbg_cleanup_entropy(drbg, out, outlen);
251 #ifndef PROV_RAND_GET_RANDOM_NONCE
252 typedef struct prov_drbg_nonce_global_st {
253 CRYPTO_RWLOCK *rand_nonce_lock;
254 int rand_nonce_count;
255 } PROV_DRBG_NONCE_GLOBAL;
258 * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce()
259 * which needs to get the rand_nonce_lock out of the OSSL_LIB_CTX...but since
260 * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock
261 * to be in a different global data object. Otherwise we will go into an
262 * infinite recursion loop.
264 static void *prov_drbg_nonce_ossl_ctx_new(OSSL_LIB_CTX *libctx)
266 PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl));
271 dngbl->rand_nonce_lock = CRYPTO_THREAD_lock_new();
272 if (dngbl->rand_nonce_lock == NULL) {
280 static void prov_drbg_nonce_ossl_ctx_free(void *vdngbl)
282 PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl;
287 CRYPTO_THREAD_lock_free(dngbl->rand_nonce_lock);
292 static const OSSL_LIB_CTX_METHOD drbg_nonce_ossl_ctx_method = {
293 prov_drbg_nonce_ossl_ctx_new,
294 prov_drbg_nonce_ossl_ctx_free,
297 /* Get a nonce from the operating system */
298 static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, unsigned char **pout,
299 size_t min_len, size_t max_len)
302 unsigned char *buf = NULL;
303 OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx);
304 PROV_DRBG_NONCE_GLOBAL *dngbl
305 = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_NONCE_INDEX,
306 &drbg_nonce_ossl_ctx_method);
315 if (drbg->parent != NULL && drbg->parent_nonce != NULL) {
316 n = drbg->parent_nonce(drbg->parent, NULL, 0, drbg->min_noncelen,
318 if (n > 0 && (buf = OPENSSL_malloc(n)) != NULL) {
319 ret = drbg->parent_nonce(drbg->parent, buf, 0,
320 drbg->min_noncelen, drbg->max_noncelen);
329 /* Use the built in nonce source plus some of our specifics */
330 memset(&data, 0, sizeof(data));
332 CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count,
333 dngbl->rand_nonce_lock);
334 return ossl_prov_get_nonce(drbg->provctx, pout, min_len, max_len,
335 &data, sizeof(data));
337 #endif /* PROV_RAND_GET_RANDOM_NONCE */
340 * Instantiate |drbg|, after it has been initialized. Use |pers| and
341 * |perslen| as prediction-resistance input.
343 * Requires that drbg->lock is already locked for write, if non-null.
345 * Returns 1 on success, 0 on failure.
347 int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength,
348 int prediction_resistance,
349 const unsigned char *pers, size_t perslen)
351 unsigned char *nonce = NULL, *entropy = NULL;
352 size_t noncelen = 0, entropylen = 0;
353 size_t min_entropy, min_entropylen, max_entropylen;
355 if (!ossl_prov_is_running())
358 if (strength > drbg->strength) {
359 ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
362 min_entropy = drbg->strength;
363 min_entropylen = drbg->min_entropylen;
364 max_entropylen = drbg->max_entropylen;
367 pers = (const unsigned char *)ossl_pers_string;
368 perslen = sizeof(ossl_pers_string);
370 if (perslen > drbg->max_perslen) {
371 ERR_raise(ERR_LIB_PROV, PROV_R_PERSONALISATION_STRING_TOO_LONG);
375 if (drbg->state != EVP_RAND_STATE_UNINITIALISED) {
376 if (drbg->state == EVP_RAND_STATE_ERROR)
377 ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
379 ERR_raise(ERR_LIB_PROV, PROV_R_ALREADY_INSTANTIATED);
383 drbg->state = EVP_RAND_STATE_ERROR;
385 if (drbg->min_noncelen > 0) {
386 if (drbg->parent_nonce != NULL) {
387 noncelen = drbg->parent_nonce(drbg->parent, NULL, drbg->strength,
391 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
394 nonce = OPENSSL_malloc(noncelen);
396 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
399 if (noncelen != drbg->parent_nonce(drbg->parent, nonce,
402 drbg->max_noncelen)) {
403 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
406 #ifndef PROV_RAND_GET_RANDOM_NONCE
407 } else if (drbg->parent != NULL) {
410 * NIST SP800-90Ar1 section 9.1 says you can combine getting
411 * the entropy and nonce in 1 call by increasing the entropy
412 * with 50% and increasing the minimum length to accommodate
413 * the length of the nonce. We do this in case a nonce is
414 * required and there is no parental nonce capability.
416 min_entropy += drbg->strength / 2;
417 min_entropylen += drbg->min_noncelen;
418 max_entropylen += drbg->max_noncelen;
420 #ifndef PROV_RAND_GET_RANDOM_NONCE
421 else { /* parent == NULL */
422 noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->min_noncelen,
424 if (noncelen < drbg->min_noncelen
425 || noncelen > drbg->max_noncelen) {
426 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
433 drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);
434 if (drbg->reseed_next_counter) {
435 drbg->reseed_next_counter++;
436 if (!drbg->reseed_next_counter)
437 drbg->reseed_next_counter = 1;
440 entropylen = get_entropy(drbg, &entropy, min_entropy,
441 min_entropylen, max_entropylen,
442 prediction_resistance);
443 if (entropylen < min_entropylen
444 || entropylen > max_entropylen) {
445 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY);
449 if (!drbg->instantiate(drbg, entropy, entropylen, nonce, noncelen,
451 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_INSTANTIATING_DRBG);
455 drbg->state = EVP_RAND_STATE_READY;
456 drbg->generate_counter = 1;
457 drbg->reseed_time = time(NULL);
458 tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);
462 cleanup_entropy(drbg, entropy, entropylen);
464 ossl_prov_cleanup_nonce(drbg->provctx, nonce, noncelen);
465 if (drbg->state == EVP_RAND_STATE_READY)
471 * Uninstantiate |drbg|. Must be instantiated before it can be used.
473 * Requires that drbg->lock is already locked for write, if non-null.
475 * Returns 1 on success, 0 on failure.
477 int ossl_prov_drbg_uninstantiate(PROV_DRBG *drbg)
479 drbg->state = EVP_RAND_STATE_UNINITIALISED;
484 * Reseed |drbg|, mixing in the specified data
486 * Requires that drbg->lock is already locked for write, if non-null.
488 * Returns 1 on success, 0 on failure.
490 int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance,
491 const unsigned char *ent, size_t ent_len,
492 const unsigned char *adin, size_t adinlen)
494 unsigned char *entropy = NULL;
495 size_t entropylen = 0;
497 if (!ossl_prov_is_running())
500 if (drbg->state != EVP_RAND_STATE_READY) {
501 /* try to recover from previous errors */
502 rand_drbg_restart(drbg);
504 if (drbg->state == EVP_RAND_STATE_ERROR) {
505 ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
508 if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {
509 ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED);
515 if (ent_len < drbg->min_entropylen) {
516 ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_OUT_OF_RANGE);
517 drbg->state = EVP_RAND_STATE_ERROR;
520 if (ent_len > drbg->max_entropylen) {
521 ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_INPUT_TOO_LONG);
522 drbg->state = EVP_RAND_STATE_ERROR;
529 } else if (adinlen > drbg->max_adinlen) {
530 ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG);
534 drbg->state = EVP_RAND_STATE_ERROR;
536 drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);
537 if (drbg->reseed_next_counter) {
538 drbg->reseed_next_counter++;
539 if (!drbg->reseed_next_counter)
540 drbg->reseed_next_counter = 1;
546 * NIST SP-800-90A mandates that entropy *shall not* be provided
547 * by the consuming application. Instead the data is added as additional
550 * (NIST SP-800-90Ar1, Sections 9.1 and 9.2)
552 if (!drbg->reseed(drbg, NULL, 0, ent, ent_len)) {
553 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);
557 if (!drbg->reseed(drbg, ent, ent_len, adin, adinlen)) {
558 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);
561 /* There isn't much point adding the same additional input twice */
567 /* Reseed using our sources in addition */
568 entropylen = get_entropy(drbg, &entropy, drbg->strength,
569 drbg->min_entropylen, drbg->max_entropylen,
570 prediction_resistance);
571 if (entropylen < drbg->min_entropylen
572 || entropylen > drbg->max_entropylen) {
573 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY);
577 if (!drbg->reseed(drbg, entropy, entropylen, adin, adinlen))
580 drbg->state = EVP_RAND_STATE_READY;
581 drbg->generate_counter = 1;
582 drbg->reseed_time = time(NULL);
583 tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);
584 if (drbg->parent != NULL)
585 drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
588 cleanup_entropy(drbg, entropy, entropylen);
589 if (drbg->state == EVP_RAND_STATE_READY)
595 * Generate |outlen| bytes into the buffer at |out|. Reseed if we need
596 * to or if |prediction_resistance| is set. Additional input can be
597 * sent in |adin| and |adinlen|.
599 * Requires that drbg->lock is already locked for write, if non-null.
601 * Returns 1 on success, 0 on failure.
604 int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
605 unsigned int strength, int prediction_resistance,
606 const unsigned char *adin, size_t adinlen)
609 int reseed_required = 0;
611 if (!ossl_prov_is_running())
614 if (drbg->state != EVP_RAND_STATE_READY) {
615 /* try to recover from previous errors */
616 rand_drbg_restart(drbg);
618 if (drbg->state == EVP_RAND_STATE_ERROR) {
619 ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
622 if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {
623 ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED);
627 if (strength > drbg->strength) {
628 ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
632 if (outlen > drbg->max_request) {
633 ERR_raise(ERR_LIB_PROV, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG);
636 if (adinlen > drbg->max_adinlen) {
637 ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG);
641 fork_id = openssl_get_fork_id();
643 if (drbg->fork_id != fork_id) {
644 drbg->fork_id = fork_id;
648 if (drbg->reseed_interval > 0) {
649 if (drbg->generate_counter >= drbg->reseed_interval)
652 if (drbg->reseed_time_interval > 0) {
653 time_t now = time(NULL);
654 if (now < drbg->reseed_time
655 || now - drbg->reseed_time >= drbg->reseed_time_interval)
658 if (drbg->parent != NULL
659 && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
662 if (reseed_required || prediction_resistance) {
663 if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0,
665 ERR_raise(ERR_LIB_PROV, PROV_R_RESEED_ERROR);
672 if (!drbg->generate(drbg, out, outlen, adin, adinlen)) {
673 drbg->state = EVP_RAND_STATE_ERROR;
674 ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR);
678 drbg->generate_counter++;
684 * Restart |drbg|, using the specified entropy or additional input
686 * Tries its best to get the drbg instantiated by all means,
687 * regardless of its current state.
689 * Optionally, a |buffer| of |len| random bytes can be passed,
690 * which is assumed to contain at least |entropy| bits of entropy.
692 * If |entropy| > 0, the buffer content is used as entropy input.
694 * If |entropy| == 0, the buffer content is used as additional input
696 * Returns 1 on success, 0 on failure.
698 * This function is used internally only.
700 static int rand_drbg_restart(PROV_DRBG *drbg)
702 /* repair error state */
703 if (drbg->state == EVP_RAND_STATE_ERROR)
704 drbg->uninstantiate(drbg);
706 /* repair uninitialized state */
707 if (drbg->state == EVP_RAND_STATE_UNINITIALISED)
708 /* reinstantiate drbg */
709 ossl_prov_drbg_instantiate(drbg, drbg->strength, 0, NULL, 0);
711 return drbg->state == EVP_RAND_STATE_READY;
714 /* Provider support from here down */
715 static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
718 if (dispatch != NULL)
719 while (dispatch->function_id != 0) {
720 if (dispatch->function_id == function)
727 int ossl_drbg_enable_locking(void *vctx)
729 PROV_DRBG *drbg = vctx;
731 if (drbg != NULL && drbg->lock == NULL) {
732 if (drbg->parent_enable_locking != NULL)
733 if (!drbg->parent_enable_locking(drbg->parent)) {
734 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
737 drbg->lock = CRYPTO_THREAD_lock_new();
738 if (drbg->lock == NULL) {
739 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_CREATE_LOCK);
747 * Allocate memory and initialize a new DRBG. The DRBG is allocated on
748 * the secure heap if |secure| is nonzero and the secure heap is enabled.
749 * The |parent|, if not NULL, will be used as random source for reseeding.
750 * This also requires the parent's provider context and the parent's lock.
752 * Returns a pointer to the new DRBG instance on success, NULL on failure.
754 PROV_DRBG *ossl_rand_drbg_new
755 (void *provctx, void *parent, const OSSL_DISPATCH *p_dispatch,
756 int (*dnew)(PROV_DRBG *ctx),
757 int (*instantiate)(PROV_DRBG *drbg,
758 const unsigned char *entropy, size_t entropylen,
759 const unsigned char *nonce, size_t noncelen,
760 const unsigned char *pers, size_t perslen),
761 int (*uninstantiate)(PROV_DRBG *ctx),
762 int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len,
763 const unsigned char *adin, size_t adin_len),
764 int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen,
765 const unsigned char *adin, size_t adin_len))
769 const OSSL_DISPATCH *pfunc;
771 if (!ossl_prov_is_running())
774 drbg = OPENSSL_zalloc(sizeof(*drbg));
776 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
780 drbg->provctx = provctx;
781 drbg->instantiate = instantiate;
782 drbg->uninstantiate = uninstantiate;
783 drbg->reseed = reseed;
784 drbg->generate = generate;
785 drbg->fork_id = openssl_get_fork_id();
787 /* Extract parent's functions */
788 drbg->parent = parent;
789 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING)) != NULL)
790 drbg->parent_enable_locking = OSSL_FUNC_rand_enable_locking(pfunc);
791 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_LOCK)) != NULL)
792 drbg->parent_lock = OSSL_FUNC_rand_lock(pfunc);
793 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_UNLOCK)) != NULL)
794 drbg->parent_unlock = OSSL_FUNC_rand_unlock(pfunc);
795 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS)) != NULL)
796 drbg->parent_get_ctx_params = OSSL_FUNC_rand_get_ctx_params(pfunc);
797 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GENERATE)) != NULL)
798 drbg->parent_generate = OSSL_FUNC_rand_generate(pfunc);
799 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_NONCE)) != NULL)
800 drbg->parent_nonce = OSSL_FUNC_rand_nonce(pfunc);
802 /* Set some default maximums up */
803 drbg->max_entropylen = DRBG_MAX_LENGTH;
804 drbg->max_noncelen = DRBG_MAX_LENGTH;
805 drbg->max_perslen = DRBG_MAX_LENGTH;
806 drbg->max_adinlen = DRBG_MAX_LENGTH;
807 drbg->generate_counter = 1;
808 drbg->reseed_counter = 1;
809 drbg->reseed_interval = RESEED_INTERVAL;
810 drbg->reseed_time_interval = TIME_INTERVAL;
815 if (parent != NULL) {
816 if (!get_parent_strength(drbg, &p_str))
818 if (drbg->strength > p_str) {
820 * We currently don't support the algorithm from NIST SP 800-90C
821 * 10.1.2 to use a weaker DRBG as source
823 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);
830 ossl_rand_drbg_free(drbg);
834 void ossl_rand_drbg_free(PROV_DRBG *drbg)
839 CRYPTO_THREAD_lock_free(drbg->lock);
843 int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[])
847 p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE);
848 if (p != NULL && !OSSL_PARAM_set_int(p, drbg->state))
851 p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);
852 if (p != NULL && !OSSL_PARAM_set_int(p, drbg->strength))
855 p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
856 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_request))
859 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_ENTROPYLEN);
860 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_entropylen))
863 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ENTROPYLEN);
864 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_entropylen))
867 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_NONCELEN);
868 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_noncelen))
871 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_NONCELEN);
872 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_noncelen))
875 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_PERSLEN);
876 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_perslen))
879 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ADINLEN);
880 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_adinlen))
883 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
884 if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval))
887 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME);
888 if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time))
891 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);
892 if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval))
895 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_COUNTER);
897 && !OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_counter)))
902 int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[])
906 p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
907 if (p != NULL && !OSSL_PARAM_get_uint(p, &drbg->reseed_interval))
910 p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);
911 if (p != NULL && !OSSL_PARAM_get_time_t(p, &drbg->reseed_time_interval))
projects / openssl.git / blob