/* * Uninstantiate |drbg|. Must be instantiated before it can be used. * * Requires that drbg->lock is already locked for write, if non-null. * * Returns 1 on success, 0 on failure. */ int RAND_DRBG_uninstantiate(RAND_DRBG *drbg) { int index = -1, type, flags; if (drbg->meth == NULL) { drbg->state = DRBG_ERROR; RANDerr(RAND_F_RAND_DRBG_UNINSTANTIATE, RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED); return 0; } /* Clear the entire drbg->ctr struct, then reset some important * members of the drbg->ctr struct (e.g. keysize, df_ks) to their * initial values. */ drbg->meth->uninstantiate(drbg); /* The reset uses the default values for type and flags */ if (drbg->flags & RAND_DRBG_FLAG_MASTER) index = RAND_DRBG_TYPE_MASTER; else if (drbg->flags & RAND_DRBG_FLAG_PRIVATE) index = RAND_DRBG_TYPE_PRIVATE; else if (drbg->flags & RAND_DRBG_FLAG_PUBLIC) index = RAND_DRBG_TYPE_PUBLIC; if (index != -1) { flags = rand_drbg_flags[index]; type = rand_drbg_type[index]; } else { flags = drbg->flags; type = drbg->type; } return RAND_DRBG_set(drbg, type, flags); }
/* * Allocate memory and initialize a new DRBG. The DRBG is allocated on * the secure heap if |secure| is nonzero and the secure heap is enabled. * The |parent|, if not NULL, will be used as random source for reseeding. * * Returns a pointer to the new DRBG instance on success, NULL on failure. */ static RAND_DRBG *rand_drbg_new(int secure, int type, unsigned int flags, RAND_DRBG *parent) { RAND_DRBG *drbg = secure ? OPENSSL_secure_zalloc(sizeof(*drbg)) : OPENSSL_zalloc(sizeof(*drbg)); if (drbg == NULL) { RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE); return NULL; } drbg->secure = secure && CRYPTO_secure_allocated(drbg); drbg->fork_count = rand_fork_count; drbg->parent = parent; if (parent == NULL) { drbg->reseed_interval = master_reseed_interval; drbg->reseed_time_interval = master_reseed_time_interval; } else { drbg->reseed_interval = slave_reseed_interval; drbg->reseed_time_interval = slave_reseed_time_interval; } if (RAND_DRBG_set(drbg, type, flags) == 0) goto err; if (parent != NULL) { rand_drbg_lock(parent); if (drbg->strength > parent->strength) { /* * We currently don't support the algorithm from NIST SP 800-90C * 10.1.2 to use a weaker DRBG as source */ rand_drbg_unlock(parent); RANDerr(RAND_F_RAND_DRBG_NEW, RAND_R_PARENT_STRENGTH_TOO_WEAK); goto err; } rand_drbg_unlock(parent); } if (!RAND_DRBG_set_callbacks(drbg, rand_drbg_get_entropy, rand_drbg_cleanup_entropy, NULL, NULL)) goto err; return drbg; err: if (drbg->secure) OPENSSL_secure_free(drbg); else OPENSSL_free(drbg); return NULL; }
/* * Allocates a new global DRBG on the secure heap (if enabled) and * initializes it with default settings. * A global lock for the DRBG is created with the given name. * * Returns a pointer to the new DRBG instance on success, NULL on failure. */ static RAND_DRBG *drbg_setup(const char *name, RAND_DRBG *parent) { RAND_DRBG *drbg; if (name == NULL) { RANDerr(RAND_F_DRBG_SETUP, ERR_R_INTERNAL_ERROR); return NULL; } drbg = OPENSSL_secure_zalloc(sizeof(RAND_DRBG)); if (drbg == NULL) return NULL; drbg->lock = CRYPTO_THREAD_glock_new(name); if (drbg->lock == NULL) { RANDerr(RAND_F_DRBG_SETUP, RAND_R_FAILED_TO_CREATE_LOCK); goto err; } if (RAND_DRBG_set(drbg, RAND_DRBG_NID, RAND_DRBG_FLAG_CTR_USE_DF) != 1) goto err; if (RAND_DRBG_set_callbacks(drbg, rand_drbg_get_entropy, rand_drbg_cleanup_entropy, NULL, NULL) != 1) goto err; if (parent == NULL) { drbg->reseed_interval = MASTER_RESEED_INTERVAL; drbg->reseed_time_interval = MASTER_RESEED_TIME_INTERVAL; } else { drbg->parent = parent; drbg->reseed_interval = SLAVE_RESEED_INTERVAL; drbg->reseed_time_interval = SLAVE_RESEED_TIME_INTERVAL; } /* enable seed propagation */ drbg->reseed_counter = 1; /* * Ignore instantiation error so support just-in-time instantiation. * * The state of the drbg will be checked in RAND_DRBG_generate() and * an automatic recovery is attempted. */ RAND_DRBG_instantiate(drbg, (const unsigned char *) ossl_pers_string, sizeof(ossl_pers_string) - 1); return drbg; err: drbg_cleanup(drbg); return NULL; }
/* * Initialise a DRBG based on selftest data */ static int init(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td, TEST_CTX *t) { if (!TEST_true(RAND_DRBG_set(drbg, td->nid, td->flags)) || !TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, kat_nonce, NULL))) return 0; RAND_DRBG_set_ex_data(drbg, app_data_index, t); t->entropy = td->entropy; t->entropylen = td->entropylen; t->nonce = td->nonce; t->noncelen = td->noncelen; t->entropycnt = 0; t->noncecnt = 0; return 1; }
/* * Uninstantiate |drbg|. Must be instantiated before it can be used. * * Requires that drbg->lock is already locked for write, if non-null. * * Returns 1 on success, 0 on failure. */ int RAND_DRBG_uninstantiate(RAND_DRBG *drbg) { if (drbg->meth == NULL) { RANDerr(RAND_F_RAND_DRBG_UNINSTANTIATE, RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED); return 0; } /* Clear the entire drbg->ctr struct, then reset some important * members of the drbg->ctr struct (e.g. keysize, df_ks) to their * initial values. */ drbg->meth->uninstantiate(drbg); return RAND_DRBG_set(drbg, drbg->type, drbg->flags); }
/* * Set up a global DRBG. */ static int setup_drbg(RAND_DRBG *drbg) { int ret = 1; drbg->lock = CRYPTO_THREAD_lock_new(); ret &= drbg->lock != NULL; drbg->size = RANDOMNESS_NEEDED; drbg->secure = CRYPTO_secure_malloc_initialized(); drbg->randomness = NULL; /* If you change these parameters, see RANDOMNESS_NEEDED */ ret &= RAND_DRBG_set(drbg, NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF) == 1; ret &= RAND_DRBG_set_callbacks(drbg, drbg_entropy_from_system, drbg_release_entropy, NULL, NULL) == 1; return ret; }
/* * Allocate memory and initialize a new DRBG. The |parent|, if not * NULL, will be used to auto-seed this RAND_DRBG as needed. * * Returns a pointer to the new DRBG instance on success, NULL on failure. */ RAND_DRBG *RAND_DRBG_new(int type, unsigned int flags, RAND_DRBG *parent) { RAND_DRBG *drbg = OPENSSL_zalloc(sizeof(*drbg)); if (drbg == NULL) { RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE); goto err; } drbg->fork_count = rand_fork_count; drbg->parent = parent; if (RAND_DRBG_set(drbg, type, flags) == 0) goto err; if (!RAND_DRBG_set_callbacks(drbg, rand_drbg_get_entropy, rand_drbg_cleanup_entropy, NULL, NULL)) goto err; return drbg; err: OPENSSL_free(drbg); return NULL; }
/* * Do a single KAT test. Return 0 on failure. */ static int single_kat(DRBG_SELFTEST_DATA *td) { RAND_DRBG *drbg = NULL; TEST_CTX t; int failures = 0; unsigned char buff[1024]; /* * Test without PR: Instantiate DRBG with test entropy, nonce and * personalisation string. */ if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL))) return 0; if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, kat_nonce, NULL))) { failures++; goto err; } memset(&t, 0, sizeof(t)); t.entropy = td->entropy; t.entropylen = td->entropylen; t.nonce = td->nonce; t.noncelen = td->noncelen; RAND_DRBG_set_ex_data(drbg, app_data_index, &t); if (!TEST_true(RAND_DRBG_instantiate(drbg, td->pers, td->perslen)) || !TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0, td->adin, td->adinlen)) || !TEST_mem_eq(td->expected, td->exlen, buff, td->exlen)) failures++; /* Reseed DRBG with test entropy and additional input */ t.entropy = td->entropyreseed; t.entropylen = td->entropyreseedlen; if (!TEST_true(RAND_DRBG_reseed(drbg, td->adinreseed, td->adinreseedlen, 0) || !TEST_true(RAND_DRBG_generate(drbg, buff, td->kat2len, 0, td->adin2, td->adin2len)) || !TEST_mem_eq(td->kat2, td->kat2len, buff, td->kat2len))) failures++; uninstantiate(drbg); /* * Now test with PR: Instantiate DRBG with test entropy, nonce and * personalisation string. */ if (!TEST_true(RAND_DRBG_set(drbg, td->nid, td->flags)) || !TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, kat_nonce, NULL))) failures++; RAND_DRBG_set_ex_data(drbg, app_data_index, &t); t.entropy = td->entropy_pr; t.entropylen = td->entropylen_pr; t.nonce = td->nonce_pr; t.noncelen = td->noncelen_pr; t.entropycnt = 0; t.noncecnt = 0; if (!TEST_true(RAND_DRBG_instantiate(drbg, td->pers_pr, td->perslen_pr))) failures++; /* * Now generate with PR: we need to supply entropy as this will * perform a reseed operation. */ t.entropy = td->entropypr_pr; t.entropylen = td->entropyprlen_pr; if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->katlen_pr, 1, td->adin_pr, td->adinlen_pr)) || !TEST_mem_eq(td->kat_pr, td->katlen_pr, buff, td->katlen_pr)) failures++; /* * Now generate again with PR: supply new entropy again. */ t.entropy = td->entropyg_pr; t.entropylen = td->entropyglen_pr; if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->kat2len_pr, 1, td->ading_pr, td->adinglen_pr)) || !TEST_mem_eq(td->kat2_pr, td->kat2len_pr, buff, td->kat2len_pr)) failures++; err: uninstantiate(drbg); RAND_DRBG_free(drbg); return failures == 0; }
/* * Allocate memory and initialize a new DRBG. The DRBG is allocated on * the secure heap if |secure| is nonzero and the secure heap is enabled. * The |parent|, if not NULL, will be used as random source for reseeding. * * Returns a pointer to the new DRBG instance on success, NULL on failure. */ static RAND_DRBG *rand_drbg_new(int secure, int type, unsigned int flags, RAND_DRBG *parent) { RAND_DRBG *drbg = secure ? OPENSSL_secure_zalloc(sizeof(*drbg)) : OPENSSL_zalloc(sizeof(*drbg)); if (drbg == NULL) { RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE); return NULL; } drbg->secure = secure && CRYPTO_secure_allocated(drbg); drbg->fork_count = rand_fork_count; drbg->parent = parent; if (parent == NULL) { drbg->get_entropy = rand_drbg_get_entropy; drbg->cleanup_entropy = rand_drbg_cleanup_entropy; #ifndef RAND_DRBG_GET_RANDOM_NONCE drbg->get_nonce = rand_drbg_get_nonce; drbg->cleanup_nonce = rand_drbg_cleanup_nonce; #endif drbg->reseed_interval = master_reseed_interval; drbg->reseed_time_interval = master_reseed_time_interval; } else { drbg->get_entropy = rand_drbg_get_entropy; drbg->cleanup_entropy = rand_drbg_cleanup_entropy; /* * Do not provide nonce callbacks, the child DRBGs will * obtain their nonce using random bits from the parent. */ drbg->reseed_interval = slave_reseed_interval; drbg->reseed_time_interval = slave_reseed_time_interval; } if (RAND_DRBG_set(drbg, type, flags) == 0) goto err; if (parent != NULL) { rand_drbg_lock(parent); if (drbg->strength > parent->strength) { /* * We currently don't support the algorithm from NIST SP 800-90C * 10.1.2 to use a weaker DRBG as source */ rand_drbg_unlock(parent); RANDerr(RAND_F_RAND_DRBG_NEW, RAND_R_PARENT_STRENGTH_TOO_WEAK); goto err; } rand_drbg_unlock(parent); } return drbg; err: if (drbg->secure) OPENSSL_secure_free(drbg); else OPENSSL_free(drbg); return NULL; }