rand: set up EVP and DRBG infrastructure for RAND from providers.
authorPauli <paul.dale@oracle.com>
Fri, 8 May 2020 00:22:45 +0000 (10:22 +1000)
committerPauli <paul.dale@oracle.com>
Wed, 24 Jun 2020 10:05:41 +0000 (20:05 +1000)
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

crypto/evp/rand_meth.c
include/openssl/core_names.h
include/openssl/core_numbers.h
include/openssl/evp.h
providers/implementations/build.info
providers/implementations/include/prov/implementations.h
providers/implementations/rands/build.info [new file with mode: 0644]
providers/implementations/rands/drbg.c [new file with mode: 0644]
providers/implementations/rands/drbg_local.h [new file with mode: 0644]
providers/implementations/rands/rand_crng_test.c

index e2b1d68..0f17454 100644 (file)
@@ -58,18 +58,42 @@ static void *evp_rand_new(void)
         evp_rand_free(rand);
         return NULL;
     }
         evp_rand_free(rand);
         return NULL;
     }
-
     rand->refcnt = 1;
     rand->refcnt = 1;
-
     return rand;
 }
 
     return rand;
 }
 
+/* Enable locking of the underlying DRBG/RAND if available */
+int EVP_RAND_CTX_enable_locking(EVP_RAND_CTX *rand)
+{
+    if (rand->meth->enable_prov_locking != NULL)
+        return rand->meth->enable_prov_locking(rand->data);
+    return 1;
+}
+
+/* Lock the underlying DRBG/RAND if available */
+static int evp_rand_lock(EVP_RAND_CTX *rand)
+{
+    if (rand->meth->prov_lock != NULL)
+        return rand->meth->prov_lock(rand->data);
+    return 1;
+}
+
+/* Unlock the underlying DRBG/RAND if available */
+static void evp_rand_unlock(EVP_RAND_CTX *rand)
+{
+    if (rand->meth->prov_unlock != NULL)
+        rand->meth->prov_unlock(rand->data);
+}
+
 static void *evp_rand_from_dispatch(int name_id,
                                     const OSSL_DISPATCH *fns,
                                     OSSL_PROVIDER *prov)
 {
     EVP_RAND *rand = NULL;
     int fnrandcnt = 0, fnctxcnt = 0;
 static void *evp_rand_from_dispatch(int name_id,
                                     const OSSL_DISPATCH *fns,
                                     OSSL_PROVIDER *prov)
 {
     EVP_RAND *rand = NULL;
     int fnrandcnt = 0, fnctxcnt = 0;
+#ifdef FIPS_MODULE
+    int fnfipscnt = 0;
+#endif
 
     if ((rand = evp_rand_new()) == NULL) {
         EVPerr(0, ERR_R_MALLOC_FAILURE);
 
     if ((rand = evp_rand_new()) == NULL) {
         EVPerr(0, ERR_R_MALLOC_FAILURE);
@@ -172,13 +196,27 @@ static void *evp_rand_from_dispatch(int name_id,
                 break;
             rand->set_ctx_params = OSSL_get_OP_rand_set_ctx_params(fns);
             break;
                 break;
             rand->set_ctx_params = OSSL_get_OP_rand_set_ctx_params(fns);
             break;
+        case OSSL_FUNC_RAND_VERIFY_ZEROIZATION:
+            if (rand->verify_zeroization != NULL)
+                break;
+            rand->verify_zeroization = OSSL_get_OP_rand_verify_zeroization(fns);
+#ifdef FIPS_MODULE
+            fnfipscnt++;
+#endif
+            break;
         }
     }
         }
     }
-    if (fnrandcnt != 3 || fnctxcnt != 2) {
+    if (fnrandcnt != 3
+            || fnctxcnt != 2
+#ifdef FIPS_MODULE
+            || fnfipscnt != 1
+#endif
+       ) {
         /*
          * In order to be a consistent set of functions we must have at least
          * a complete set of "rand" functions and a complete set of context
         /*
          * In order to be a consistent set of functions we must have at least
          * a complete set of "rand" functions and a complete set of context
-         * management functions.
+         * management functions.  In FIPS mode, we also require the zeroization
+         * verification function.
          */
         evp_rand_free(rand);
         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS);
          */
         evp_rand_free(rand);
         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS);
@@ -236,8 +274,7 @@ int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[])
     return 1;
 }
 
     return 1;
 }
 
-EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, unsigned int df,
-                               EVP_RAND_CTX *parent)
+EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, EVP_RAND_CTX *parent)
 {
     EVP_RAND_CTX *ctx;
     void *parent_ctx = NULL;
 {
     EVP_RAND_CTX *ctx;
     void *parent_ctx = NULL;
@@ -250,10 +287,11 @@ EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, unsigned int df,
     if (ctx == NULL)
         return NULL;
     if (parent != NULL) {
     if (ctx == NULL)
         return NULL;
     if (parent != NULL) {
+        EVP_RAND_CTX_enable_locking(parent);
         parent_ctx = parent->data;
         parent_dispatch = parent->meth->dispatch;
     }
         parent_ctx = parent->data;
         parent_dispatch = parent->meth->dispatch;
     }
-    if ((ctx->data = rand->newctx(ossl_provider_ctx(rand->prov), secure, df,
+    if ((ctx->data = rand->newctx(ossl_provider_ctx(rand->prov), secure,
                                   parent_ctx, parent_dispatch)) == NULL
             || !EVP_RAND_up_ref(rand)) {
         EVPerr(0, ERR_R_MALLOC_FAILURE);
                                   parent_ctx, parent_dispatch)) == NULL
             || !EVP_RAND_up_ref(rand)) {
         EVPerr(0, ERR_R_MALLOC_FAILURE);
@@ -283,16 +321,31 @@ EVP_RAND *EVP_RAND_CTX_rand(EVP_RAND_CTX *ctx)
 
 int EVP_RAND_CTX_get_params(EVP_RAND_CTX *ctx, OSSL_PARAM params[])
 {
 
 int EVP_RAND_CTX_get_params(EVP_RAND_CTX *ctx, OSSL_PARAM params[])
 {
-    if (ctx->meth->get_ctx_params != NULL)
-        return ctx->meth->get_ctx_params(ctx->data, params);
-    return 1;
+    int res = 1;
+
+    if (ctx->meth->get_ctx_params != NULL) {
+        if (!evp_rand_lock(ctx))
+            return 0;
+        res = ctx->meth->get_ctx_params(ctx->data, params);
+        evp_rand_unlock(ctx);
+    }
+    return res;
 }
 
 int EVP_RAND_CTX_set_params(EVP_RAND_CTX *ctx, const OSSL_PARAM params[])
 {
 }
 
 int EVP_RAND_CTX_set_params(EVP_RAND_CTX *ctx, const OSSL_PARAM params[])
 {
-    if (ctx->meth->set_ctx_params != NULL)
-        return ctx->meth->set_ctx_params(ctx->data, params);
-    return 1;
+    int res = 1;
+
+    if (ctx->meth->set_ctx_params != NULL) {
+        if (!evp_rand_lock(ctx))
+            return 0;
+        res = ctx->meth->set_ctx_params(ctx->data, params);
+        evp_rand_unlock(ctx);
+        /* Clear out the cache state because the values can change on a set */
+        ctx->strength = 0;
+        ctx->max_request = 0;
+    }
+    return res;
 }
 
 const OSSL_PARAM *EVP_RAND_gettable_params(const EVP_RAND *rand)
 }
 
 const OSSL_PARAM *EVP_RAND_gettable_params(const EVP_RAND *rand)
@@ -333,52 +386,133 @@ void EVP_RAND_names_do_all(const EVP_RAND *rand,
         evp_names_do_all(rand->prov, rand->name_id, fn, data);
 }
 
         evp_names_do_all(rand->prov, rand->name_id, fn, data);
 }
 
-int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, int strength,
+int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, unsigned int strength,
                              int prediction_resistance,
                              const unsigned char *pstr, size_t pstr_len)
 {
                              int prediction_resistance,
                              const unsigned char *pstr, size_t pstr_len)
 {
-    return ctx->meth->instantiate(ctx->data, strength, prediction_resistance,
-                                  pstr, pstr_len);
+    int res;
+
+    if (!evp_rand_lock(ctx))
+        return 0;
+    res = ctx->meth->instantiate(ctx->data, strength, prediction_resistance,
+                                 pstr, pstr_len);
+    evp_rand_unlock(ctx);
+    return res;
 }
 
 int EVP_RAND_CTX_uninstantiate(EVP_RAND_CTX *ctx)
 {
 }
 
 int EVP_RAND_CTX_uninstantiate(EVP_RAND_CTX *ctx)
 {
-    return ctx->meth->uninstantiate(ctx->data);
+    int res;
+
+    if (!evp_rand_lock(ctx))
+        return 0;
+    res = ctx->meth->uninstantiate(ctx->data);
+    evp_rand_unlock(ctx);
+    return res;
 }
 
 int EVP_RAND_CTX_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen,
 }
 
 int EVP_RAND_CTX_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen,
-                          int strength, int prediction_resistance,
+                          unsigned int strength, int prediction_resistance,
                           const unsigned char *addin, size_t addin_len)
 {
                           const unsigned char *addin, size_t addin_len)
 {
-    return ctx->meth->generate(ctx->data, out, outlen, strength,
-                               prediction_resistance, addin, addin_len);
+    size_t chunk;
+    OSSL_PARAM params[2];
+    int res = 0;
+
+    if (!evp_rand_lock(ctx))
+        return 0;
+    if (ctx->max_request == 0) {
+        params[0] = OSSL_PARAM_construct_size_t(OSSL_DRBG_PARAM_MAX_REQUEST,
+                                                &ctx->max_request);
+        params[1] = OSSL_PARAM_construct_end();
+        if (!EVP_RAND_CTX_get_params(ctx, params)
+                || ctx->max_request == 0)
+            goto err;
+    }
+    for (; outlen > 0; outlen -= chunk, out += chunk) {
+        chunk = outlen > ctx->max_request ? ctx->max_request : outlen;
+        if (!ctx->meth->generate(ctx->data, out, chunk, strength,
+                                 prediction_resistance, addin, addin_len))
+            goto err;
+    }
+    res = 1;
+err:
+    evp_rand_unlock(ctx);
+    return res;
 }
 
 int EVP_RAND_CTX_reseed(EVP_RAND_CTX *ctx, int prediction_resistance,
 }
 
 int EVP_RAND_CTX_reseed(EVP_RAND_CTX *ctx, int prediction_resistance,
+                        const unsigned char *ent, size_t ent_len,
                         const unsigned char *addin, size_t addin_len)
 {
                         const unsigned char *addin, size_t addin_len)
 {
-    if (ctx->meth->reseed == NULL)
-        return 1;
-    return ctx->meth->reseed(ctx->data, prediction_resistance,
-                             addin, addin_len);
+    int res = 1;
+
+    if (!evp_rand_lock(ctx))
+        return 0;
+    if (ctx->meth->reseed != NULL)
+        res = ctx->meth->reseed(ctx->data, prediction_resistance,
+                                ent, ent_len, addin, addin_len);
+    evp_rand_unlock(ctx);
+    return res;
 }
 
 int EVP_RAND_CTX_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen)
 {
 }
 
 int EVP_RAND_CTX_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen)
 {
-    if (ctx->meth->nonce != NULL)
-        return ctx->meth->nonce(ctx->data, out, outlen);
-    return ctx->meth->generate(ctx->data, out, outlen, 0, 0, NULL, 0);
+    int res = 1;
+
+    if (!evp_rand_lock(ctx))
+        return 0;
+    if (ctx->meth->nonce == NULL
+            || !ctx->meth->nonce(ctx->data, out, 0, outlen, outlen))
+        res = ctx->meth->generate(ctx->data, out, outlen, 0, 0, NULL, 0);
+    evp_rand_unlock(ctx);
+    return res;
+}
+
+unsigned int EVP_RAND_CTX_strength(EVP_RAND_CTX *ctx)
+{
+    OSSL_PARAM params[2];
+    int res;
+
+    if (ctx->strength == 0) {
+        params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH,
+                                              &ctx->strength);
+        params[1] = OSSL_PARAM_construct_end();
+        if (!evp_rand_lock(ctx))
+            return 0;
+        res = EVP_RAND_CTX_get_params(ctx, params);
+        evp_rand_unlock(ctx);
+        if (!res)
+            return 0;
+    }
+    return ctx->strength;
 }
 
 }
 
-int EVP_RAND_CTX_set_callbacks(const EVP_RAND_CTX *ctx,
-                               OSSL_CALLBACK *get_entropy,
-                               OSSL_CALLBACK *cleanup_entropy,
-                               OSSL_CALLBACK *get_nonce,
-                               OSSL_CALLBACK *cleanup_nonce)
+int EVP_RAND_CTX_state(EVP_RAND_CTX *ctx)
 {
 {
-    if (ctx->meth->set_callbacks == NULL)
+    OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+    int status, res;
+
+    params[0] = OSSL_PARAM_construct_int(OSSL_RAND_PARAM_STATE,
+                                         &status);
+    if (!evp_rand_lock(ctx))
         return 0;
         return 0;
-    return ctx->meth->set_callbacks(ctx->data, get_entropy, cleanup_entropy,
-                                    get_nonce, cleanup_nonce);
+    res = EVP_RAND_CTX_get_params(ctx, params);
+    evp_rand_unlock(ctx);
+    if (!res)
+        status = EVP_RAND_STATE_ERROR;
+    return status;
 }
 
 }
 
+int EVP_RAND_CTX_verify_zeroization(EVP_RAND_CTX *ctx)
+{
+    int res = 0;
+
+    if (ctx->meth->verify_zeroization != NULL) {
+        if (!evp_rand_lock(ctx))
+            return 0;
+        res = ctx->meth->verify_zeroization(ctx->data);
+        evp_rand_unlock(ctx);
+    }
+    return res;
+}
index 7da0186..e7b522a 100644 (file)
@@ -180,6 +180,26 @@ extern "C" {
 #define OSSL_KDF_NAME_KBKDF         "KBKDF"
 #define OSSL_KDF_NAME_KRB5KDF       "KRB5KDF"
 
 #define OSSL_KDF_NAME_KBKDF         "KBKDF"
 #define OSSL_KDF_NAME_KRB5KDF       "KRB5KDF"
 
+/* Know RAND names */
+#define OSSL_RAND_PARAM_STATUS                  "status"
+#define OSSL_RAND_PARAM_STRENGTH                "strength"
+#define OSSL_RAND_PARAM_RESEED_REQUESTS         "reseed_requests"
+#define OSSL_RAND_PARAM_RESEED_TIME_INTERVAL    "reseed_time_interval"
+#define OSSL_RAND_PARAM_MAX_REQUEST             "max_request"
+#define OSSL_RAND_PARAM_MIN_ENTROPYLEN          "min_entropylen"
+#define OSSL_RAND_PARAM_MAX_ENTROPYLEN          "max_entropylen"
+#define OSSL_RAND_PARAM_MIN_NONCELEN            "min_noncelen"
+#define OSSL_RAND_PARAM_MAX_NONCELEN            "max_noncelen"
+#define OSSL_RAND_PARAM_MAX_PERSLEN             "max_perslen"
+#define OSSL_RAND_PARAM_MAX_ADINLEN             "max_adinlen"
+#define OSSL_RAND_PARAM_RESEED_CTR              "reseed_counter"
+#define OSSL_RAND_PARAM_RESEED_PROP_CTR         "reseed_prop_counter"
+#define OSSL_RAND_PARAM_PROPERTIES              OSSL_ALG_PARAM_PROPERTIES
+#define OSSL_RAND_PARAM_DIGEST                  OSSL_ALG_PARAM_DIGEST
+#define OSSL_RAND_PARAM_CIPHER                  OSSL_ALG_PARAM_CIPHER
+#define OSSL_RAND_PARAM_TEST_ENTROPY            "test_entropy"
+#define OSSL_RAND_PARAM_TEST_NONCE              "test_nonce"
+
 /* PKEY parameters */
 /* Common PKEY parameters */
 #define OSSL_PKEY_PARAM_BITS                "bits" /* integer */
 /* PKEY parameters */
 /* Common PKEY parameters */
 #define OSSL_PKEY_PARAM_BITS                "bits" /* integer */
index ce8306e..acc758e 100644 (file)
@@ -359,24 +359,28 @@ OSSL_CORE_MAKE_FUNC(int, OP_kdf_set_ctx_params,
 # define OSSL_FUNC_RAND_GET_CTX_PARAMS               15
 # define OSSL_FUNC_RAND_SET_CTX_PARAMS               16
 # define OSSL_FUNC_RAND_SET_CALLBACKS                17
 # define OSSL_FUNC_RAND_GET_CTX_PARAMS               15
 # define OSSL_FUNC_RAND_SET_CTX_PARAMS               16
 # define OSSL_FUNC_RAND_SET_CALLBACKS                17
+# define OSSL_FUNC_RAND_VERIFY_ZEROIZATION           18
 
 OSSL_CORE_MAKE_FUNC(void *, OP_rand_newctx,
 
 OSSL_CORE_MAKE_FUNC(void *, OP_rand_newctx,
-                    (void *provctx, int secure, unsigned int df, void *parent,
+                    (void *provctx, int secure, void *parent,
                     const OSSL_DISPATCH *parent_calls))
 OSSL_CORE_MAKE_FUNC(void, OP_rand_freectx, (void *vctx))
 OSSL_CORE_MAKE_FUNC(int, OP_rand_instantiate,
                     const OSSL_DISPATCH *parent_calls))
 OSSL_CORE_MAKE_FUNC(void, OP_rand_freectx, (void *vctx))
 OSSL_CORE_MAKE_FUNC(int, OP_rand_instantiate,
-                    (void *vdrbg, int strength, int prediction_resistance,
+                    (void *vdrbg, unsigned int strength,
+                     int prediction_resistance,
                      const unsigned char *pstr, size_t pstr_len))
 OSSL_CORE_MAKE_FUNC(int, OP_rand_uninstantiate, (void *vdrbg))
 OSSL_CORE_MAKE_FUNC(int, OP_rand_generate,
                     (void *vctx, unsigned char *out, size_t outlen,
                      const unsigned char *pstr, size_t pstr_len))
 OSSL_CORE_MAKE_FUNC(int, OP_rand_uninstantiate, (void *vdrbg))
 OSSL_CORE_MAKE_FUNC(int, OP_rand_generate,
                     (void *vctx, unsigned char *out, size_t outlen,
-                     int strength, int prediction_resistance,
+                     unsigned int strength, int prediction_resistance,
                      const unsigned char *addin, size_t addin_len))
 OSSL_CORE_MAKE_FUNC(int, OP_rand_reseed,
                     (void *vctx, int prediction_resistance,
                      const unsigned char *addin, size_t addin_len))
 OSSL_CORE_MAKE_FUNC(int, OP_rand_reseed,
                     (void *vctx, int prediction_resistance,
+                     const unsigned char *ent, size_t ent_len,
                      const unsigned char *addin, size_t addin_len))
                      const unsigned char *addin, size_t addin_len))
-OSSL_CORE_MAKE_FUNC(int, OP_rand_nonce,
-                    (void *vctx, unsigned char *out, size_t outlen))
+OSSL_CORE_MAKE_FUNC(size_t, OP_rand_nonce,
+                    (void *vctx, unsigned char *out, int strength,
+                     size_t min_noncelen, size_t max_noncelen))
 OSSL_CORE_MAKE_FUNC(int, OP_rand_set_callbacks,
                     (void *vctx,
                      OSSL_CALLBACK *get_entropy, OSSL_CALLBACK *cleanup_entropy,
 OSSL_CORE_MAKE_FUNC(int, OP_rand_set_callbacks,
                     (void *vctx,
                      OSSL_CALLBACK *get_entropy, OSSL_CALLBACK *cleanup_entropy,
@@ -392,6 +396,8 @@ OSSL_CORE_MAKE_FUNC(int, OP_rand_get_ctx_params,
                     (void *vctx, OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, OP_rand_set_ctx_params,
                     (void *vctx, const OSSL_PARAM params[]))
                     (void *vctx, OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, OP_rand_set_ctx_params,
                     (void *vctx, const OSSL_PARAM params[]))
+OSSL_CORE_MAKE_FUNC(int, OP_rand_verify_zeroization,
+                    (void *vctx))
 
 /*-
  * Key management
 
 /*-
  * Key management
index 9d8b447..2e6f855 100644 (file)
@@ -1073,7 +1073,7 @@ void EVP_MD_do_all_provided(OPENSSL_CTX *libctx,
 
 /* RAND stuff */
 EVP_RAND *EVP_RAND_fetch(OPENSSL_CTX *libctx, const char *algorithm,
 
 /* RAND stuff */
 EVP_RAND *EVP_RAND_fetch(OPENSSL_CTX *libctx, const char *algorithm,
-                       const char *properties);
+                         const char *properties);
 int EVP_RAND_up_ref(EVP_RAND *rand);
 void EVP_RAND_free(EVP_RAND *rand);
 int EVP_RAND_number(const EVP_RAND *rand);
 int EVP_RAND_up_ref(EVP_RAND *rand);
 void EVP_RAND_free(EVP_RAND *rand);
 int EVP_RAND_number(const EVP_RAND *rand);
@@ -1082,7 +1082,7 @@ int EVP_RAND_is_a(const EVP_RAND *rand, const char *name);
 const OSSL_PROVIDER *EVP_RAND_provider(const EVP_RAND *rand);
 int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]);
 
 const OSSL_PROVIDER *EVP_RAND_provider(const EVP_RAND *rand);
 int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]);
 
-EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, unsigned int df,
+EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure,
                                EVP_RAND_CTX *parent);
 void EVP_RAND_CTX_free(EVP_RAND_CTX *ctx);
 EVP_RAND *EVP_RAND_CTX_rand(EVP_RAND_CTX *ctx);
                                EVP_RAND_CTX *parent);
 void EVP_RAND_CTX_free(EVP_RAND_CTX *ctx);
 EVP_RAND *EVP_RAND_CTX_rand(EVP_RAND_CTX *ctx);
@@ -1099,14 +1099,15 @@ void EVP_RAND_names_do_all(const EVP_RAND *rand,
                            void (*fn)(const char *name, void *data),
                            void *data);
 
                            void (*fn)(const char *name, void *data),
                            void *data);
 
-int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, int strength,
+int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, unsigned int strength,
                              int prediction_resistance,
                              const unsigned char *pstr, size_t pstr_len);
 int EVP_RAND_CTX_uninstantiate(EVP_RAND_CTX *ctx);
 int EVP_RAND_CTX_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen,
                              int prediction_resistance,
                              const unsigned char *pstr, size_t pstr_len);
 int EVP_RAND_CTX_uninstantiate(EVP_RAND_CTX *ctx);
 int EVP_RAND_CTX_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen,
-                          int strength, int prediction_resistance,
+                          unsigned int strength, int prediction_resistance,
                           const unsigned char *addin, size_t addin_len);
 int EVP_RAND_CTX_reseed(EVP_RAND_CTX *ctx, int prediction_resistance,
                           const unsigned char *addin, size_t addin_len);
 int EVP_RAND_CTX_reseed(EVP_RAND_CTX *ctx, int prediction_resistance,
+                        const unsigned char *ent, size_t ent_len,
                         const unsigned char *addin, size_t addin_len);
 int EVP_RAND_CTX_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen);
 int EVP_RAND_CTX_set_callbacks(const EVP_RAND_CTX *rand,
                         const unsigned char *addin, size_t addin_len);
 int EVP_RAND_CTX_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen);
 int EVP_RAND_CTX_set_callbacks(const EVP_RAND_CTX *rand,
@@ -1114,6 +1115,14 @@ int EVP_RAND_CTX_set_callbacks(const EVP_RAND_CTX *rand,
                                OSSL_CALLBACK *cleanup_entropy,
                                OSSL_CALLBACK *get_nonce,
                                OSSL_CALLBACK *cleanup_nonce);
                                OSSL_CALLBACK *cleanup_entropy,
                                OSSL_CALLBACK *get_nonce,
                                OSSL_CALLBACK *cleanup_nonce);
+int EVP_RAND_CTX_enable_locking(EVP_RAND_CTX *ctx);
+int EVP_RAND_CTX_verify_zeroization(EVP_RAND_CTX *ctx);
+unsigned int EVP_RAND_CTX_strength(EVP_RAND_CTX *ctx);
+int EVP_RAND_CTX_state(EVP_RAND_CTX *ctx);
+
+#define EVP_RAND_STATE_UNINITIALISED    0
+#define EVP_RAND_STATE_READY            1
+#define EVP_RAND_STATE_ERROR            2
 
 /* PKEY stuff */
 DEPRECATEDIN_3_0(int EVP_PKEY_decrypt_old(unsigned char *dec_key,
 
 /* PKEY stuff */
 DEPRECATEDIN_3_0(int EVP_PKEY_decrypt_old(unsigned char *dec_key,
index e4cab9b..839478e 100644 (file)
@@ -1,2 +1,2 @@
-SUBDIRS=digests ciphers macs kdfs exchange keymgmt signature asymciphers \
+SUBDIRS=digests ciphers rands macs kdfs exchange keymgmt signature asymciphers \
         serializers
         serializers
index 0589a6e..ee942e9 100644 (file)
@@ -7,6 +7,9 @@
  * https://www.openssl.org/source/license.html
  */
 
  * https://www.openssl.org/source/license.html
  */
 
+#include <openssl/core.h>
+#include <openssl/types.h>
+
 /* Digests */
 extern const OSSL_DISPATCH sha1_functions[];
 extern const OSSL_DISPATCH sha224_functions[];
 /* Digests */
 extern const OSSL_DISPATCH sha1_functions[];
 extern const OSSL_DISPATCH sha224_functions[];
@@ -252,6 +255,12 @@ extern const OSSL_DISPATCH kdf_x942_kdf_functions[];
 #endif
 extern const OSSL_DISPATCH kdf_krb5kdf_functions[];
 
 #endif
 extern const OSSL_DISPATCH kdf_krb5kdf_functions[];
 
+/* RNGs */
+extern const OSSL_DISPATCH test_rng_functions[];
+extern const OSSL_DISPATCH drbg_hash_functions[];
+extern const OSSL_DISPATCH drbg_hmac_functions[];
+extern const OSSL_DISPATCH drbg_ctr_functions[];
+extern const OSSL_DISPATCH crngt_functions[];
 
 /* Key management */
 extern const OSSL_DISPATCH dh_keymgmt_functions[];
 
 /* Key management */
 extern const OSSL_DISPATCH dh_keymgmt_functions[];
diff --git a/providers/implementations/rands/build.info b/providers/implementations/rands/build.info
new file mode 100644 (file)
index 0000000..29f7238
--- /dev/null
@@ -0,0 +1,7 @@
+
+# Missing: drbg_ctr.c
+SOURCE[../../libfips.a]=drbg.c
+SOURCE[../../libnonfips.a]=drbg.c
+
+# Missing: drbg_hmac.c crngt.c
+SOURCE[../../libimplementations.a]=test_rng.c drbg_hash.c
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
new file mode 100644 (file)
index 0000000..c9e4cd4
--- /dev/null
@@ -0,0 +1,884 @@
+/*
+ * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include "crypto/rand.h"
+#include "drbg_local.h"
+#include "internal/thread_once.h"
+#include "crypto/cryptlib.h"
+#include "seeding/seeding.h"
+#include "crypto/rand_pool.h"
+
+/*
+ * Support framework for NIST SP 800-90A DRBG
+ *
+ * See manual page PROV_DRBG(7) for a general overview.
+ *
+ * The OpenSSL model is to have new and free functions, and that new
+ * does all initialization.  That is not the NIST model, which has
+ * instantiation and un-instantiate, and re-use within a new/free
+ * lifecycle.  (No doubt this comes from the desire to support hardware
+ * DRBG, where allocation of resources on something like an HSM is
+ * a much bigger deal than just re-setting an allocated resource.)
+ */
+
+#ifdef FIPS_MODULE
+# define get_entropy        prov_crngt_get_entropy
+# define cleanup_entropy    prov_crngt_cleanup_entropy
+#else
+# define get_entropy        prov_drbg_get_entropy
+# define cleanup_entropy    prov_drbg_cleanup_entropy
+#endif
+
+/* NIST SP 800-90A DRBG recommends the use of a personalization string. */
+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
+
+static unsigned int master_reseed_interval = MASTER_RESEED_INTERVAL;
+static unsigned int slave_reseed_interval  = SLAVE_RESEED_INTERVAL;
+
+static time_t master_reseed_time_interval = MASTER_RESEED_TIME_INTERVAL;
+static time_t slave_reseed_time_interval  = SLAVE_RESEED_TIME_INTERVAL;
+
+static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
+                                      int function);
+
+int drbg_lock(void *vctx)
+{
+    PROV_DRBG *drbg = vctx;
+
+    if (drbg == NULL || drbg->lock == NULL)
+        return 1;
+    return CRYPTO_THREAD_write_lock(drbg->lock);
+}
+
+void drbg_unlock(void *vctx)
+{
+    PROV_DRBG *drbg = vctx;
+
+    if (drbg != NULL && drbg->lock != NULL)
+        CRYPTO_THREAD_unlock(drbg->lock);
+}
+
+static int drbg_lock_parent(PROV_DRBG *drbg)
+{
+    void *parent = drbg->parent;
+    const OSSL_DISPATCH *pfunc;
+
+    if (parent != NULL) {
+        pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_LOCK);
+        if (pfunc != NULL && !OSSL_get_OP_rand_lock(pfunc)(parent)) {
+            ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_LOCKING_NOT_ENABLED);
+            return 0;
+        }
+    }
+    return 1;
+}
+
+static void drbg_unlock_parent(PROV_DRBG *drbg)
+{
+    void *parent = drbg->parent;
+    const OSSL_DISPATCH *pfunc;
+
+    if (parent != NULL) {
+        pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_UNLOCK);
+        if (pfunc != NULL)
+            OSSL_get_OP_rand_unlock(pfunc)(parent);
+    }
+}
+
+static int get_parent_strength(PROV_DRBG *drbg, int *str)
+{
+    OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+    const OSSL_DISPATCH *pfunc;
+    void *parent = drbg->parent;
+
+    pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS);
+    if (pfunc == NULL) {
+        ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_PARENT_STRENGTH);
+        return 0;
+    }
+    *params = OSSL_PARAM_construct_int(OSSL_RAND_PARAM_STRENGTH, str);
+    if (!drbg_lock_parent(drbg)) {
+        ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_LOCK_PARENT);
+        return 0;
+    }
+    if (!OSSL_get_OP_rand_get_ctx_params(pfunc)(parent, params)) {
+        drbg_unlock_parent(drbg);
+        ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_PARENT_STRENGTH);
+        return 0;
+    }
+    drbg_unlock_parent(drbg);
+    return 1;
+}
+
+static unsigned int get_parent_reseed_count(PROV_DRBG *drbg)
+{
+    OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+    const OSSL_DISPATCH *pfunc;
+    void *parent = drbg->parent;
+    unsigned int r;
+
+    pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS);
+    if (pfunc == NULL) {
+        ERR_raise(ERR_LIB_PROV,
+                  RAND_R_UNABLE_TO_GET_PARENT_RESEED_PROP_COUNTER);
+        goto err;
+    }
+    *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_RESEED_PROP_CTR, &r);
+    if (!drbg_lock_parent(drbg)) {
+        ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_LOCK_PARENT);
+        goto err;
+    }
+    if (!OSSL_get_OP_rand_get_ctx_params(pfunc)(parent, params)) {
+        drbg_unlock_parent(drbg);
+        ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_RESEED_PROP_CTR);
+        goto err;
+    }
+    drbg_unlock_parent(drbg);
+    return r;
+
+ err:
+    r = tsan_load(&drbg->reseed_prop_counter) - 2;
+    if (r == 0)
+        r = UINT_MAX;
+    return r;
+}
+
+#ifndef FIPS_MODULE
+/*
+ * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks())
+ *
+ * If the DRBG has a parent, then the required amount of entropy input
+ * is fetched using the parent's RAND_DRBG_generate().
+ *
+ * Otherwise, the entropy is polled from the system entropy sources
+ * using rand_pool_acquire_entropy().
+ *
+ * If a random pool has been added to the DRBG using RAND_add(), then
+ * its entropy will be used up first.
+ */
+static size_t prov_drbg_get_entropy(PROV_DRBG *drbg, unsigned char **pout,
+                                    int entropy, size_t min_len, size_t max_len,
+                                    int prediction_resistance)
+{
+    size_t ret = 0;
+    size_t entropy_available = 0;
+    RAND_POOL *pool;
+    int p_str;
+    const OSSL_DISPATCH *pfunc;
+
+    if (drbg->parent != NULL) {
+        if (!get_parent_strength(drbg, &p_str))
+            return 0;
+        if (drbg->strength > p_str) {
+            /*
+             * We currently don't support the algorithm from NIST SP 800-90C
+             * 10.1.2 to use a weaker DRBG as source
+             */
+            RANDerr(0, RAND_R_PARENT_STRENGTH_TOO_WEAK);
+            return 0;
+        }
+    }
+
+    if (drbg->seed_pool != NULL) {
+        pool = drbg->seed_pool;
+        pool->entropy_requested = entropy;
+    } else {
+        pool = rand_pool_new(entropy, drbg->secure, min_len, max_len);
+        if (pool == NULL)
+            return 0;
+    }
+
+    if (drbg->parent != NULL) {
+        size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
+        unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed);
+
+        if (buffer != NULL) {
+            size_t bytes = 0;
+
+            /*
+             * Get random data from parent. Include our address as additional input,
+             * in order to provide some additional distinction between different
+             * DRBG child instances.
+             * Our lock is already held, but we need to lock our parent before
+             * generating bits from it. (Note: taking the lock will be a no-op
+             * if locking if drbg->parent->lock == NULL.)
+             */
+            pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GENERATE);
+            if (pfunc == NULL)
+                return 0;
+            drbg_lock_parent(drbg);
+            if (OSSL_get_OP_rand_generate(pfunc)(drbg->parent, buffer, bytes_needed,
+                                                 drbg->strength,
+                                                 prediction_resistance,
+                                                 (unsigned char *)&drbg,
+                                                 sizeof(drbg)) != 0)
+                bytes = bytes_needed;
+            drbg->reseed_next_counter = get_parent_reseed_count(drbg);
+            drbg_unlock_parent(drbg);
+
+            rand_pool_add_end(pool, bytes, 8 * bytes);
+            entropy_available = rand_pool_entropy_available(pool);
+        }
+    } else {
+        /* Get entropy by polling system entropy sources. */
+        entropy_available = rand_pool_acquire_entropy(pool);
+    }
+
+    if (entropy_available > 0) {
+        ret   = rand_pool_length(pool);
+        *pout = rand_pool_detach(pool);
+    }
+
+    if (drbg->seed_pool == NULL)
+        rand_pool_free(pool);
+    return ret;
+}
+
+/*
+ * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks())
+ *
+ */
+static void prov_drbg_cleanup_entropy(PROV_DRBG *drbg,
+                                      unsigned char *out, size_t outlen)
+{
+    if (drbg->seed_pool == NULL) {
+        if (drbg->secure)
+            OPENSSL_secure_clear_free(out, outlen);
+        else
+            OPENSSL_clear_free(out, outlen);
+    }
+}
+#endif
+
+#ifndef PROV_RAND_GET_RANDOM_NONCE
+typedef struct prov_drbg_nonce_global_st {
+    CRYPTO_RWLOCK *rand_nonce_lock;
+    int rand_nonce_count;
+} PROV_DRBG_NONCE_GLOBAL;
+
+/*
+ * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce()
+ * which needs to get the rand_nonce_lock out of the OPENSSL_CTX...but since
+ * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock
+ * to be in a different global data object. Otherwise we will go into an
+ * infinite recursion loop.
+ */
+static void *prov_drbg_nonce_ossl_ctx_new(OPENSSL_CTX *libctx)
+{
+    PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl));
+
+    if (dngbl == NULL)
+        return NULL;
+
+    dngbl->rand_nonce_lock = CRYPTO_THREAD_lock_new();
+    if (dngbl->rand_nonce_lock == NULL) {
+        OPENSSL_free(dngbl);
+        return NULL;
+    }
+
+    return dngbl;
+}
+
+static void prov_drbg_nonce_ossl_ctx_free(void *vdngbl)
+{
+    PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl;
+
+    if (dngbl == NULL)
+        return;
+
+    CRYPTO_THREAD_lock_free(dngbl->rand_nonce_lock);
+
+    OPENSSL_free(dngbl);
+}
+
+static const OPENSSL_CTX_METHOD drbg_nonce_ossl_ctx_method = {
+    prov_drbg_nonce_ossl_ctx_new,
+    prov_drbg_nonce_ossl_ctx_free,
+};
+
+/* Get a nonce from the operating system */
+static size_t prov_drbg_get_nonce(PROV_DRBG *drbg,
+                                  unsigned char **pout,
+                                  int entropy, size_t min_len, size_t max_len)
+{
+    size_t ret = 0;
+    RAND_POOL *pool;
+    PROV_DRBG_NONCE_GLOBAL *dngbl
+        = openssl_ctx_get_data(drbg->libctx, OPENSSL_CTX_DRBG_NONCE_INDEX,
+                               &drbg_nonce_ossl_ctx_method);
+    struct {
+        void *instance;
+        int count;
+    } data;
+    
+
+    if (dngbl == NULL)
+        return 0;
+
+    memset(&data, 0, sizeof(data));
+    pool = rand_pool_new(0, 0, min_len, max_len);
+    if (pool == NULL)
+        return 0;
+
+    if (rand_pool_add_nonce_data(pool) == 0)
+        goto err;
+
+    data.instance = drbg;
+    CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count,
+                      dngbl->rand_nonce_lock);
+
+    if (rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0) == 0)
+        goto err;
+
+    ret   = rand_pool_length(pool);
+    *pout = rand_pool_detach(pool);
+
+ err:
+    rand_pool_free(pool);
+
+    return ret;
+}
+#endif
+
+/*
+ * Implements the cleanup_nonce() callback (see PROV_DRBG_set_callbacks())
+ *
+ */
+static void prov_drbg_cleanup_nonce(PROV_DRBG *drbg,
+                                    unsigned char *out, size_t outlen)
+{
+    OPENSSL_clear_free(out, outlen);
+}
+
+/*
+ * Instantiate |drbg|, after it has been initialized.  Use |pers| and
+ * |perslen| as prediction-resistance input.
+ *
+ * Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
+ */
+int PROV_DRBG_instantiate(PROV_DRBG *drbg, int strength,
+                          int prediction_resistance,
+                          const unsigned char *pers, size_t perslen,
+                          int (*ifnc)(PROV_DRBG *drbg,
+                                      const unsigned char *ent, size_t ent_len,
+                                      const unsigned char *nonce,
+                                      size_t nonce_len,
+                                      const unsigned char *pstr,
+                                      size_t pstr_len))
+{
+    unsigned char *nonce = NULL, *entropy = NULL;
+    size_t noncelen = 0, entropylen = 0;
+    size_t min_entropy, min_entropylen, max_entropylen;
+    const OSSL_DISPATCH *pnonce;
+
+    if (strength > drbg->strength) {
+        PROVerr(0, RAND_R_INSUFFICIENT_DRBG_STRENGTH);
+        goto end;
+    }
+    min_entropy = drbg->strength;
+    min_entropylen = drbg->min_entropylen;
+    max_entropylen = drbg->max_entropylen;
+
+    if (pers == NULL) {
+        pers = (const unsigned char *)ossl_pers_string;
+        perslen = sizeof(ossl_pers_string);
+    }
+    if (perslen > drbg->max_perslen) {
+        PROVerr(0, RAND_R_PERSONALISATION_STRING_TOO_LONG);
+        goto end;
+    }
+
+    if (drbg->state != DRBG_UNINITIALISED) {
+        if (drbg->state == DRBG_ERROR)
+            PROVerr(0, RAND_R_IN_ERROR_STATE);
+        else
+            PROVerr(0, RAND_R_ALREADY_INSTANTIATED);
+        goto end;
+    }
+
+    drbg->state = DRBG_ERROR;
+
+    if (drbg->min_noncelen > 0) {
+#ifndef PROV_RAND_GET_RANDOM_NONCE
+        if (drbg->parent != NULL)
+#endif
+        {
+            pnonce = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_NONCE);
+            if (pnonce == NULL) {
+                /*
+                 * NIST SP800-90Ar1 section 9.1 says you can combine getting
+                 * the entropy and nonce in 1 call by increasing the entropy
+                 * with 50% and increasing the minimum length to accommodate
+                 * the length of the nonce. We do this in case a nonce is
+                 * required and there is no parental nonce capability.
+                 */
+                min_entropy += drbg->strength / 2;
+                min_entropylen += drbg->min_noncelen;
+                max_entropylen += drbg->max_noncelen;
+            } else {
+                drbg_lock_parent(drbg);
+                noncelen = OSSL_get_OP_rand_nonce(pnonce)(drbg->parent, &nonce,
+                                                          drbg->strength / 2,
+                                                          drbg->min_noncelen,
+                                                          drbg->max_noncelen);
+                drbg_unlock_parent(drbg);
+                if (noncelen < drbg->min_noncelen
+                        || noncelen > drbg->max_noncelen) {
+                    PROVerr(0, RAND_R_ERROR_RETRIEVING_NONCE);
+                    goto end;
+                }
+            }
+        }
+#ifndef PROV_RAND_GET_RANDOM_NONCE
+        else { /* parent == NULL */
+            noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->strength / 2,
+                                           drbg->min_noncelen, 
+                                           drbg->max_noncelen);
+            if (noncelen < drbg->min_noncelen
+                    || noncelen > drbg->max_noncelen) {
+                PROVerr(0, RAND_R_ERROR_RETRIEVING_NONCE);
+                goto end;
+            }
+        }
+#endif
+    }
+
+    drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
+    if (drbg->reseed_next_counter) {
+        drbg->reseed_next_counter++;
+        if(!drbg->reseed_next_counter)
+            drbg->reseed_next_counter = 1;
+    }
+
+    entropylen = get_entropy(drbg, &entropy, min_entropy,
+                             min_entropylen, max_entropylen,
+                             prediction_resistance);
+    if (entropylen < min_entropylen
+            || entropylen > max_entropylen) {
+        PROVerr(0, RAND_R_ERROR_RETRIEVING_ENTROPY);
+        goto end;
+    }
+
+    if (!ifnc(drbg, entropy, entropylen, nonce, noncelen, pers, perslen)) {
+        PROVerr(0, RAND_R_ERROR_INSTANTIATING_DRBG);
+        goto end;
+    }
+
+    drbg->state = DRBG_READY;
+    drbg->reseed_gen_counter = 1;
+    drbg->reseed_time = time(NULL);
+    tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
+
+ end:
+    if (entropy != NULL)
+        cleanup_entropy(drbg, entropy, entropylen);
+    if (nonce != NULL)
+        prov_drbg_cleanup_nonce(drbg, nonce, noncelen);
+    if (drbg->state == DRBG_READY)
+        return 1;
+    return 0;
+}
+
+/*
+ * Reseed |drbg|, mixing in the specified data
+ *
+ * Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
+ */
+int PROV_DRBG_reseed(PROV_DRBG *drbg, int prediction_resistance,
+                     const unsigned char *ent, size_t ent_len,
+                     const unsigned char *adin, size_t adinlen,
+                     int (*reseed)(PROV_DRBG *drbg,
+                                   const unsigned char *ent, size_t ent_len,
+                                   const unsigned char *adin, size_t adin_len))
+{
+    unsigned char *entropy = NULL;
+    size_t entropylen = 0;
+
+    if (drbg->state == DRBG_ERROR) {
+        PROVerr(0, RAND_R_IN_ERROR_STATE);
+        return 0;
+    }
+    if (drbg->state == DRBG_UNINITIALISED) {
+        PROVerr(0, RAND_R_NOT_INSTANTIATED);
+        return 0;
+    }
+
+    if (adin == NULL) {
+        adinlen = 0;
+    } else if (adinlen > drbg->max_adinlen) {
+        PROVerr(0, RAND_R_ADDITIONAL_INPUT_TOO_LONG);
+        return 0;
+    }
+
+    drbg->state = DRBG_ERROR;
+
+    drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
+    if (drbg->reseed_next_counter) {
+        drbg->reseed_next_counter++;
+        if(!drbg->reseed_next_counter)
+            drbg->reseed_next_counter = 1;
+    }
+
+    entropylen = get_entropy(drbg, &entropy, drbg->strength,
+                             drbg->min_entropylen, drbg->max_entropylen,
+                             prediction_resistance);
+    if (entropylen < drbg->min_entropylen
+            || entropylen > drbg->max_entropylen) {
+        PROVerr(0, RAND_R_ERROR_RETRIEVING_ENTROPY);
+        goto end;
+    }
+
+    if (!reseed(drbg, entropy, entropylen, adin, adinlen))
+        goto end;
+
+    drbg->state = DRBG_READY;
+    drbg->reseed_gen_counter = 1;
+    drbg->reseed_time = time(NULL);
+    tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
+
+ end:
+    if (entropy != NULL)
+        OPENSSL_cleanse(entropy, entropylen);
+    if (drbg->state == DRBG_READY)
+        return 1;
+    return 0;
+}
+
+/*
+ * Generate |outlen| bytes into the buffer at |out|.  Reseed if we need
+ * to or if |prediction_resistance| is set.  Additional input can be
+ * sent in |adin| and |adinlen|.
+ *
+ * Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
+ *
+ */
+int PROV_DRBG_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
+                       int strength, int prediction_resistance,
+                       const unsigned char *adin, size_t adinlen,
+                       int (*generate)(PROV_DRBG *, unsigned char *out,
+                                       size_t outlen, const unsigned char *adin,
+                                       size_t adin_len),
+                       int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent,
+                                     size_t ent_len, const unsigned char *adin,
+                                     size_t adin_len))
+{
+    int fork_id;
+    int reseed_required = 0;
+
+    if (drbg->state != DRBG_READY) {
+        if (drbg->state == DRBG_ERROR) {
+            PROVerr(0, RAND_R_IN_ERROR_STATE);
+            return 0;
+        }
+        if (drbg->state == DRBG_UNINITIALISED) {
+            PROVerr(0, RAND_R_NOT_INSTANTIATED);
+            return 0;
+        }
+    }
+
+    if (outlen > drbg->max_request) {
+        PROVerr(0, RAND_R_REQUEST_TOO_LARGE_FOR_DRBG);
+        return 0;
+    }
+    if (adinlen > drbg->max_adinlen) {
+        PROVerr(0, RAND_R_ADDITIONAL_INPUT_TOO_LONG);
+        return 0;
+    }
+
+    fork_id = openssl_get_fork_id();
+
+    if (drbg->fork_id != fork_id) {
+        drbg->fork_id = fork_id;
+        reseed_required = 1;
+    }
+
+    if (drbg->reseed_interval > 0) {
+        if (drbg->reseed_gen_counter > drbg->reseed_interval)
+            reseed_required = 1;
+    }
+    if (drbg->reseed_time_interval > 0) {
+        time_t now = time(NULL);
+        if (now < drbg->reseed_time
+            || now - drbg->reseed_time >= drbg->reseed_time_interval)
+            reseed_required = 1;
+    }
+    if (drbg->parent != NULL) {
+        unsigned int reseed_counter = 0;
+
+        if (reseed_counter > 0
+            && get_parent_reseed_count(drbg) !=
+               tsan_load(&drbg->reseed_prop_counter))
+            reseed_required = 1;
+    }
+
+    if (reseed_required || prediction_resistance) {
+        if (!PROV_DRBG_reseed(drbg, prediction_resistance, NULL, 0,
+                              adin, adinlen, reseed)) {
+            PROVerr(0, RAND_R_RESEED_ERROR);
+            return 0;
+        }
+        adin = NULL;
+        adinlen = 0;
+    }
+
+    if (!generate(drbg, out, outlen, adin, adinlen)) {
+        drbg->state = DRBG_ERROR;
+        PROVerr(0, RAND_R_GENERATE_ERROR);
+        return 0;
+    }
+
+    drbg->reseed_gen_counter++;
+
+    return 1;
+}
+
+#if 0
+/*
+ * Calculates the minimum length of a full entropy buffer
+ * which is necessary to seed (i.e. instantiate) the DRBG
+ * successfully.
+ */
+size_t prov_drbg_seedlen(PROV_DRBG *drbg)
+{
+    /*
+     * If no os entropy source is available then PROV_seed(buffer, bufsize)
+     * is expected to succeed if and only if the buffer length satisfies
+     * the following requirements, which follow from the calculations
+     * in PROV_DRBG_instantiate().
+     */
+    size_t min_entropy = drbg->strength;
+    size_t min_entropylen = drbg->min_entropylen;
+
+    /*
+     * Extra entropy for the random nonce in the absence of a
+     * get_nonce callback, see comment in PROV_DRBG_instantiate().
+     */
+    if (drbg->min_noncelen > 0) {
+#ifndef PROV_RAND_GET_RANDOM_NONCE
+        if (drbg->parent != NULL)
+#endif
+            if (find_call(drbg->parent_dispatch,
+                          OSSL_FUNC_RAND_NONCE) == NULL) {
+                min_entropy += drbg->strength / 2;
+                min_entropylen += drbg->min_noncelen;
+            }
+    }
+
+    /*
+     * Convert entropy requirement from bits to bytes
+     * (dividing by 8 without rounding upwards, because
+     * all entropy requirements are divisible by 8).
+     */
+    min_entropy >>= 3;
+
+    /* Return a value that satisfies both requirements */
+    return min_entropy > min_entropylen ? min_entropy : min_entropylen;
+}
+#endif
+
+/* Provider support from here down */
+static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
+                                      int function)
+{
+    if (dispatch != NULL)
+        while (dispatch->function_id != 0)
+            if (dispatch->function_id == function)
+                return dispatch;
+    return NULL;
+}
+
+int drbg_enable_locking(void *vctx)
+{
+    PROV_DRBG *drbg = vctx;
+    const OSSL_DISPATCH *pfunc;
+
+    if (drbg == NULL)
+        return 1;
+    if (drbg->lock == NULL) {
+        if (drbg->state != DRBG_UNINITIALISED) {
+            ERR_raise(ERR_LIB_PROV, RAND_R_DRBG_ALREADY_INITIALIZED);
+            return 0;
+        }
+
+        pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING);
+        if (pfunc != NULL)
+            if (!OSSL_get_OP_rand_enable_locking(pfunc)(drbg->parent)) {
+                ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_LOCKING_NOT_ENABLED);
+                return 0;
+            }
+        drbg->lock = CRYPTO_THREAD_lock_new();
+        if (drbg->lock == NULL) {
+            ERR_raise(ERR_LIB_PROV, RAND_R_FAILED_TO_CREATE_LOCK);
+            return 0;
+        }
+    }
+    return 1;
+}
+
+/*
+ * Allocate memory and initialize a new DRBG. The DRBG is allocated on
+ * the secure heap if |secure| is nonzero and the secure heap is enabled.
+ * The |parent|, if not NULL, will be used as random source for reseeding.
+ * This also requires the parent's provider context and the parent's lock.
+ *
+ * Returns a pointer to the new DRBG instance on success, NULL on failure.
+ */
+PROV_DRBG *prov_rand_drbg_new(void *provctx, int secure, void *parent,
+                              const OSSL_DISPATCH *parent_dispatch,
+                              int (*dnew)(PROV_DRBG *ctx, int secure))
+{
+    PROV_DRBG *drbg = OPENSSL_zalloc(sizeof(*drbg));
+    int p_str;
+
+    if (drbg == NULL) {
+        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+
+    drbg->libctx = provctx;
+    drbg->secure = secure;
+    drbg->parent = parent;
+    drbg->parent_dispatch = parent_dispatch;
+
+    /* Set some default maximums up */
+    drbg->max_entropylen = DRBG_MAX_LENGTH;
+    drbg->max_noncelen = DRBG_MAX_LENGTH;
+    drbg->max_perslen = DRBG_MAX_LENGTH;
+    drbg->max_adinlen = DRBG_MAX_LENGTH;
+    drbg->reseed_gen_counter = 1;
+
+    /* TODO(3.0) clean this up */
+    if (parent == NULL) {
+        drbg->reseed_interval = master_reseed_interval;
+        drbg->reseed_time_interval = master_reseed_time_interval;
+    } else {
+        /*
+         * Do not provide nonce callbacks, the child DRBGs will
+         * obtain their nonce using random bits from the parent.
+         */
+        drbg->reseed_interval = slave_reseed_interval;
+        drbg->reseed_time_interval = slave_reseed_time_interval;
+    }
+
+    if (!dnew(drbg, secure))
+        goto err;
+
+    if (parent != NULL) {
+        if (!get_parent_strength(drbg, &p_str))
+            goto err;
+        if (drbg->strength > p_str) {
+            /*
+             * We currently don't support the algorithm from NIST SP 800-90C
+             * 10.1.2 to use a weaker DRBG as source
+             */
+            ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_STRENGTH_TOO_WEAK);
+            goto err;
+        }
+    }
+    return drbg;
+
+ err:
+    prov_rand_drbg_free(drbg);
+    return NULL;
+}
+
+void prov_rand_drbg_free(PROV_DRBG *drbg)
+{
+    if (drbg == NULL)
+        return;
+
+    rand_pool_free(drbg->adin_pool);
+    CRYPTO_THREAD_lock_free(drbg->lock);
+#ifndef FIPS_MODULE
+    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RAND_DRBG, drbg, &drbg->ex_data);
+#endif
+}
+
+int drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[])
+{
+    OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATUS);
+    if (p != NULL && !OSSL_PARAM_set_int(p, drbg->state))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);
+    if (p != NULL && !OSSL_PARAM_set_int(p, drbg->strength))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_request))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MIN_ENTROPYLEN);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_entropylen))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_ENTROPYLEN);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_entropylen))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MIN_NONCELEN);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_noncelen))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_NONCELEN);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_noncelen))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_PERSLEN);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_perslen))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_ADINLEN);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_adinlen))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_CTR);
+    if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_gen_counter))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_REQUESTS);
+    if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_TIME_INTERVAL);
+    if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_PROP_CTR);
+    if (p != NULL
+            && !OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_prop_counter)))
+        return 0;
+    return 1;
+}
+
+int drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[])
+{
+    const OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_RAND_PARAM_RESEED_REQUESTS);
+    if (p != NULL && !OSSL_PARAM_get_uint(p, &drbg->reseed_interval))
+        return 0;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_RAND_PARAM_RESEED_TIME_INTERVAL);
+    if (p != NULL && !OSSL_PARAM_get_time_t(p, &drbg->reseed_time_interval))
+        return 0;
+    return 1;
+}
diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h
new file mode 100644 (file)
index 0000000..a605186
--- /dev/null
@@ -0,0 +1,287 @@
+/*
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_PROV_LOCAL_H
+# define OSSL_CRYPTO_PROV_LOCAL_H
+
+# include <openssl/evp.h>
+# include <openssl/core_numbers.h>
+# include <openssl/core_names.h>
+# include <openssl/params.h>
+# include "internal/tsan_assist.h"
+
+# include "internal/numbers.h"
+
+/* How many times to read the TSC as a randomness source. */
+# define TSC_READ_COUNT                 4
+
+/* Maximum reseed intervals */
+# define MAX_RESEED_INTERVAL                     (1 << 24)
+# define MAX_RESEED_TIME_INTERVAL                (1 << 20) /* approx. 12 days */
+
+/* Default reseed intervals */
+# define MASTER_RESEED_INTERVAL                  (1 << 8)
+# define SLAVE_RESEED_INTERVAL                   (1 << 16)
+# define MASTER_RESEED_TIME_INTERVAL             (60*60)   /* 1 hour */
+# define SLAVE_RESEED_TIME_INTERVAL              (7*60)    /* 7 minutes */
+
+/*
+ * The number of bytes that constitutes an atomic lump of entropy with respect
+ * to the FIPS 140-2 section 4.9.2 Conditional Tests.  The size is somewhat
+ * arbitrary, the smaller the value, the less entropy is consumed on first
+ * read but the higher the probability of the test failing by accident.
+ *
+ * The value is in bytes.
+ */
+#define CRNGT_BUFSIZ    16
+
+/*
+ * Maximum input size for the DRBG (entropy, nonce, personalization string)
+ *
+ * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes.
+ *
+ * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes.
+ */
+# define DRBG_MAX_LENGTH                         INT32_MAX
+
+/* The default nonce */
+#ifdef CHARSET_EBCDIC
+# define DRBG_DEFAULT_PERS_STRING      { 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, \
+     0x4c, 0x20, 0x4e, 0x49, 0x53, 0x54, 0x20, 0x53, 0x50, 0x20, 0x38, 0x30, \
+     0x30, 0x2d, 0x39, 0x30, 0x41, 0x20, 0x44, 0x52, 0x42, 0x47, 0x00};
+#else
+# define DRBG_DEFAULT_PERS_STRING                "OpenSSL NIST SP 800-90A DRBG"
+#endif
+
+typedef struct prov_drbg_st PROV_DRBG;
+
+/* DRBG status values */
+typedef enum drbg_status_e {
+    DRBG_UNINITIALISED,
+    DRBG_READY,
+    DRBG_ERROR
+} DRBG_STATUS;
+
+/*
+ * The DRBG methods
+ */
+
+typedef struct rand_drbg_hmac_st {
+    EVP_MD *md;
+    HMAC_CTX *ctx;
+    size_t blocklen;
+    unsigned char K[EVP_MAX_MD_SIZE];
+    unsigned char V[EVP_MAX_MD_SIZE];
+} PROV_DRBG_HMAC;
+
+/*
+ * The state of a DRBG AES-CTR.
+ */
+typedef struct rand_drbg_ctr_st {
+    EVP_CIPHER_CTX *ctx_ecb;
+    EVP_CIPHER_CTX *ctx_ctr;
+    EVP_CIPHER_CTX *ctx_df;
+    EVP_CIPHER *cipher_ecb;
+    EVP_CIPHER *cipher_ctr;
+    size_t keylen;
+    unsigned char K[32];
+    unsigned char V[16];
+    /* Temporary block storage used by ctr_df */
+    unsigned char bltmp[16];
+    size_t bltmp_pos;
+    unsigned char KX[48];
+} PROV_DRBG_CTR;
+
+
+/*
+ * The state of all types of DRBGs, even though we only have CTR mode
+ * right now.
+ */
+struct prov_drbg_st {
+    CRYPTO_RWLOCK *lock;
+    /* The library context this DRBG is associated with, if any */
+    OPENSSL_CTX *libctx;
+    void *parent;
+    const OSSL_DISPATCH *parent_dispatch;
+    int secure; /* 1: allocated on the secure heap, 0: otherwise */
+    /*
+     * Stores the return value of openssl_get_fork_id() as of when we last
+     * reseeded.  The DRBG reseeds automatically whenever drbg->fork_id !=
+     * openssl_get_fork_id().  Used to provide fork-safety and reseed this
+     * DRBG in the child process.
+     */
+    int fork_id;
+    unsigned short flags; /* various external flags */
+
+    /*
+     * The random_data is used by PROV_add()/drbg_add() to attach random
+     * data to the global drbg, such that the rand_drbg_get_entropy() callback
+     * can pull it during instantiation and reseeding. This is necessary to
+     * reconcile the different philosophies of the PROV and the PROV_DRBG
+     * with respect to how randomness is added to the RNG during reseeding
+     * (see PR #4328).
+     */
+    struct rand_pool_st *seed_pool;
+
+    /*
+     * Auxiliary pool for additional data.
+     */
+    struct rand_pool_st *adin_pool;
+
+    /*
+     * The following parameters are setup by the per-type "init" function.
+     *
+     * The supported types and their init functions are:
+     *    (1) CTR_DRBG:  drbg_ctr_init().
+     *    (2) HMAC_DRBG: drbg_hmac_init().
+     *    (3) HASH_DRBG: drbg_hash_init().
+     *
+     * The parameters are closely related to the ones described in
+     * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one
+     * crucial difference: In the NIST standard, all counts are given
+     * in bits, whereas in OpenSSL entropy counts are given in bits
+     * and buffer lengths are given in bytes.
+     *
+     * Since this difference has lead to some confusion in the past,
+     * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055])
+     * the 'len' suffix has been added to all buffer sizes for
+     * clarification.
+     */
+
+    int strength;
+    size_t max_request;
+    size_t min_entropylen, max_entropylen;
+    size_t min_noncelen, max_noncelen;
+    size_t max_perslen, max_adinlen;
+
+    /*
+     * Counts the number of generate requests since the last reseed
+     * (Starts at 1). This value is the reseed_counter as defined in
+     * NIST SP 800-90Ar1
+     */
+    unsigned int reseed_gen_counter;
+    /*
+     * Maximum number of generate requests until a reseed is required.
+     * This value is ignored if it is zero.
+     */
+    unsigned int reseed_interval;
+    /* Stores the time when the last reseeding occurred */
+    time_t reseed_time;
+    /*
+     * Specifies the maximum time interval (in seconds) between reseeds.
+     * This value is ignored if it is zero.
+     */
+    time_t reseed_time_interval;
+    /*
+     * Counts the number of reseeds since instantiation.
+     * This value is ignored if it is zero.
+     *
+     * This counter is used only for seed propagation from the <master> DRBG
+     * to its two children, the <public> and <private> DRBG. This feature is
+     * very special and its sole purpose is to ensure that any randomness which
+     * is added by PROV_add() or PROV_seed() will have an immediate effect on
+     * the output of PROV_bytes() resp. PROV_priv_bytes().
+     */
+    TSAN_QUALIFIER unsigned int reseed_prop_counter;
+    unsigned int reseed_next_counter;
+
+    size_t seedlen;
+    DRBG_STATUS state;
+
+    void *data;
+
+#ifndef FIPS_MODULE
+    /* Application data, mainly used in the KATs. */
+    CRYPTO_EX_DATA ex_data;
+#endif
+};
+
+/* DRBG helpers */
+int rand_drbg_restart(PROV_DRBG *drbg,
+                      const unsigned char *buffer, size_t len, size_t entropy);
+size_t rand_drbg_seedlen(PROV_DRBG *drbg);
+
+PROV_DRBG *prov_rand_drbg_new(void *provctx, int secure, void *parent,
+                              const OSSL_DISPATCH *parent_dispatch,
+                              int (*dnew)(PROV_DRBG *ctx, int secure));
+void prov_rand_free(PROV_DRBG *drbg);
+
+int PROV_DRBG_instantiate(PROV_DRBG *drbg, int strength,
+                          int prediction_resistance,
+                          const unsigned char *pers, size_t perslen,
+                          int (*ifnc)(PROV_DRBG *drbg,
+                                      const unsigned char *ent, size_t ent_len,
+                                      const unsigned char *nonce,
+                                      size_t nonce_len,
+                                      const unsigned char *pstr,
+                                      size_t pstr_len));
+
+int PROV_DRBG_reseed(PROV_DRBG *drbg, int prediction_resistance,
+                     const unsigned char *ent, size_t ent_len,
+                     const unsigned char *adin, size_t adinlen,
+                     int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent,
+                                   size_t ent_len, const unsigned char *adin,
+                                   size_t adin_len));
+
+int PROV_DRBG_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
+                       int strength, int prediction_resistance,
+                       const unsigned char *adin, size_t adinlen,
+                       int (*generate)(PROV_DRBG *, unsigned char *out,
+                                       size_t outlen, const unsigned char *adin,
+                                       size_t adin_len),
+                       int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent,
+                                     size_t ent_len, const unsigned char *adin,
+                                     size_t adin_len));
+
+/* locking api */
+OSSL_OP_rand_enable_locking_fn drbg_enable_locking;
+OSSL_OP_rand_lock_fn drbg_lock;
+OSSL_OP_rand_unlock_fn drbg_unlock;
+
+int drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]);
+int drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[]);
+
+#define OSSL_PARAM_DRBG_SETABLE_CTX_COMMON                                      \
+    OSSL_PARAM_uint(OSSL_RAND_PARAM_RESEED_REQUESTS, NULL),             \
+    OSSL_PARAM_uint64(OSSL_RAND_PARAM_RESEED_TIME_INTERVAL, NULL)
+
+#define OSSL_PARAM_DRBG_GETABLE_CTX_COMMON                              \
+    OSSL_PARAM_int(OSSL_RAND_PARAM_STATUS, NULL),                       \
+    OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL),                    \
+    OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL),               \
+    OSSL_PARAM_size_t(OSSL_RAND_PARAM_MIN_ENTROPYLEN, NULL),            \
+    OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_ENTROPYLEN, NULL),            \
+    OSSL_PARAM_size_t(OSSL_RAND_PARAM_MIN_NONCELEN, NULL),              \
+    OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_NONCELEN, NULL),              \
+    OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_PERSLEN, NULL),               \
+    OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_ADINLEN, NULL),               \
+    OSSL_PARAM_uint(OSSL_RAND_PARAM_RESEED_CTR, NULL),                  \
+    OSSL_PARAM_uint(OSSL_RAND_PARAM_RESEED_REQUESTS, NULL),             \
+    OSSL_PARAM_uint64(OSSL_RAND_PARAM_RESEED_TIME_INTERVAL, NULL)
+
+size_t prov_crngt_get_entropy(PROV_DRBG *drbg,
+                              unsigned char **pout,
+                              int entropy, size_t min_len, size_t max_len,
+                              int prediction_resistance);
+void prov_crngt_cleanup_entropy(PROV_DRBG *drbg,
+                                unsigned char *out, size_t outlen);
+
+/*
+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
+ * These need to be exposed for the unit tests.
+ */
+#if 0
+int rand_crngt_get_entropy_cb(OPENSSL_CTX *ctx, PROV_POOL *pool,
+                              unsigned char *buf, unsigned char *md,
+                              unsigned int *md_size);
+extern int (*crngt_get_entropy)(OPENSSL_CTX *ctx, PROV_POOL *pool,
+                                unsigned char *buf, unsigned char *md,
+                                unsigned int *md_size);
+#endif
+#endif
index 950cc62..b348b40 100644 (file)
 #include "crypto/rand.h"
 #include "internal/thread_once.h"
 #include "internal/cryptlib.h"
 #include "crypto/rand.h"
 #include "internal/thread_once.h"
 #include "internal/cryptlib.h"
-#include "rand_local.h"
+#include "crypto/rand_pool.h"
+#include "drbg_local.h"
+#include "crypto/rand_pool.h"
+#include "seeding/seeding.h"
 
 typedef struct crng_test_global_st {
     unsigned char crngt_prev[EVP_MAX_MD_SIZE];
     RAND_POOL *crngt_pool;
 } CRNG_TEST_GLOBAL;
 
 
 typedef struct crng_test_global_st {
     unsigned char crngt_prev[EVP_MAX_MD_SIZE];
     RAND_POOL *crngt_pool;
 } CRNG_TEST_GLOBAL;
 
-int (*crngt_get_entropy)(OPENSSL_CTX *, RAND_POOL *, unsigned char *,
-                         unsigned char *, unsigned int *)
-    = &rand_crngt_get_entropy_cb;
+static int crngt_get_entropy(OPENSSL_CTX *ctx, RAND_POOL *pool,
+                             unsigned char *buf, unsigned char *md,
+                             unsigned int *md_size)
+{
+    int r;
+    size_t n;
+    unsigned char *p;
+
+    if (pool == NULL)
+        return 0;
+
+    n = prov_pool_acquire_entropy(pool);
+    if (n >= CRNGT_BUFSIZ) {
+        EVP_MD *fmd = EVP_MD_fetch(ctx, "SHA256", "");
+        if (fmd == NULL)
+            return 0;
+        p = rand_pool_detach(pool);
+        r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, fmd, NULL);
+        if (r != 0)
+            memcpy(buf, p, CRNGT_BUFSIZ);
+        rand_pool_reattach(pool, p);
+        EVP_MD_free(fmd);
+        return r;
+    }
+    return 0;
+}
 
 static void rand_crng_ossl_ctx_free(void *vcrngt_glob)
 {
 
 static void rand_crng_ossl_ctx_free(void *vcrngt_glob)
 {
@@ -137,3 +163,24 @@ void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
 {
     OPENSSL_secure_clear_free(out, outlen);
 }
 {
     OPENSSL_secure_clear_free(out, outlen);
 }
+
+#if 0
+const OSSL_DISPATCH crngt_functions[] = {
+    { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))crngt_new },
+    { OSSL_FUNC_RAND_FREECTX, (void(*)(void))crngt_free },
+    { OSSL_FUNC_RAND_INSTANTIATE, (void(*)(void))crngt_instantiate },
+    { OSSL_FUNC_RAND_UNINSTANTIATE, (void(*)(void))crngt_uninstantiate },
+    { OSSL_FUNC_RAND_GENERATE, (void(*)(void))crngt_generate },
+    { OSSL_FUNC_RAND_RESEED, (void(*)(void))crngt_reseed },
+    { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))drbg_enable_locking },
+    { OSSL_FUNC_RAND_LOCK, (void(*)(void))drbg_lock },
+    { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))drbg_unlock },
+    { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS,
+      (void(*)(void))crngt_settable_ctx_params },
+    { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void(*)(void))crngt_set_ctx_params },
+    { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
+      (void(*)(void))crngt_gettable_ctx_params },
+    { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))crngt_get_ctx_params },
+    { 0, NULL }
+};
+#endif