openssl
/
openssl
mirror of https://github.com/openssl/openssl
1
0
Fork 0
Code Issues Releases Wiki Activity

rand_drbg: remove RAND_DRBG. 

The RAND_DRBG API did not fit well into the new provider concept as
implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
and some of its API calls are rather low-level. This holds in particular
for the callback mechanism (RAND_DRBG_set_callbacks()) and the RAND_DRBG
type changing mechanism (RAND_DRBG_set()).

Adding a compatibility layer to continue supporting the RAND_DRBG API as
a legacy API for a regular deprecation period turned out to come at the
price of complicating the new provider API unnecessarily. Since the
RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
to drop it entirely.

Other related changes:

Use RNG instead of DRBG in EVP_RAND documentation.  The documentation was
using DRBG in places where it should have been RNG or CSRNG.

Move the RAND_DRBG(7) documentation to EVP_RAND(7).

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12509)
This commit is contained in:
Pauli 2020-07-22 12:55:31 +10:00
parent 4df0d37ff6
commit 7d615e2178
52 changed files with 715 additions and 19795 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
CHANGES.md
View File

@ -23,6 +23,22 @@ OpenSSL 3.0
### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
* Remove the RAND_DRBG API
The RAND_DRBG API did not fit well into the new provider concept as
implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
and some of its API calls are rather low-level. This holds in particular
for the callback mechanism (RAND_DRBG_set_callbacks()).
Adding a compatibility layer to continue supporting the RAND_DRBG API as
a legacy API for a regular deprecation period turned out to come at the
price of complicating the new provider API unnecessarily. Since the
RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
to drop it entirely.
*Paul Dale and Matthias St. Pierre*
* Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses
as well as actual hostnames.

1
NEWS.md
View File

@ -20,6 +20,7 @@ OpenSSL 3.0
### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 [under development]
* Remove the `RAND_DRBG` API.
* Deprecated the `ENGINE` API.
* Added `OPENSSL_CTX`, a libcrypto library context.
* Interactive mode is removed from the 'openssl' program.

4
crypto/err/openssl.txt
View File

@ -2989,6 +2989,8 @@ RAND_R_RESEED_ERROR:118:reseed error
RAND_R_SELFTEST_FAILURE:119:selftest failure
RAND_R_TOO_LITTLE_NONCE_REQUESTED:135:too little nonce requested
RAND_R_TOO_MUCH_NONCE_REQUESTED:136:too much nonce requested
RAND_R_UNABLE_TO_CREATE_DRBG:143:unable to create drbg
RAND_R_UNABLE_TO_FETCH_DRBG:144:unable to fetch drbg
RAND_R_UNABLE_TO_GET_PARENT_RESEED_PROP_COUNTER:141:\
unable to get parent reseed prop counter
RAND_R_UNABLE_TO_GET_PARENT_STRENGTH:138:unable to get parent strength
@ -3467,13 +3469,13 @@ X509V3_R_INCORRECT_POLICY_SYNTAX_TAG:152:incorrect policy syntax tag
X509V3_R_INVALID_ASNUMBER:162:invalid asnumber
X509V3_R_INVALID_ASRANGE:163:invalid asrange
X509V3_R_INVALID_BOOLEAN_STRING:104:invalid boolean string
X509V3_R_INVALID_EMPTY_NAME:108:invalid empty name
X509V3_R_INVALID_EXTENSION_STRING:105:invalid extension string
X509V3_R_INVALID_INHERITANCE:165:invalid inheritance
X509V3_R_INVALID_IPADDRESS:166:invalid ipaddress
X509V3_R_INVALID_MULTIPLE_RDNS:161:invalid multiple rdns
X509V3_R_INVALID_NAME:106:invalid name
X509V3_R_INVALID_NULL_ARGUMENT:107:invalid null argument
X509V3_R_INVALID_EMPTY_NAME:108:invalid empty name
X509V3_R_INVALID_NULL_VALUE:109:invalid null value
X509V3_R_INVALID_NUMBER:140:invalid number
X509V3_R_INVALID_NUMBERS:141:invalid numbers

1
crypto/evp/e_aria.c
View File

@ -13,7 +13,6 @@
# include <openssl/evp.h>
# include <openssl/modes.h>
# include <openssl/rand.h>
# include <openssl/rand_drbg.h>
# include "crypto/aria.h"
# include "crypto/evp.h"
# include "crypto/modes.h"

1
crypto/evp/evp_enc.c
View File

@ -16,7 +16,6 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/rand_drbg.h>
#include <openssl/engine.h>
#include <openssl/params.h>
#include <openssl/core_names.h>

27
crypto/evp/evp_local.h
View File

@ -71,33 +71,6 @@ struct evp_rand_ctx_st {
void *data; /* Algorithm-specific data */
} /* EVP_RAND_CTX */ ;
struct evp_rand_st {
OSSL_PROVIDER *prov;
int name_id;
CRYPTO_REF_COUNT refcnt;
CRYPTO_RWLOCK *refcnt_lock;
const OSSL_DISPATCH *dispatch;
OSSL_FUNC_rand_newctx_fn *newctx;
OSSL_FUNC_rand_freectx_fn *freectx;
OSSL_FUNC_rand_instantiate_fn *instantiate;
OSSL_FUNC_rand_uninstantiate_fn *uninstantiate;
OSSL_FUNC_rand_generate_fn *generate;
OSSL_FUNC_rand_reseed_fn *reseed;
OSSL_FUNC_rand_nonce_fn *nonce;
OSSL_FUNC_rand_enable_locking_fn *enable_locking;
OSSL_FUNC_rand_lock_fn *lock;
OSSL_FUNC_rand_unlock_fn *unlock;
OSSL_FUNC_rand_gettable_params_fn *gettable_params;
OSSL_FUNC_rand_gettable_ctx_params_fn *gettable_ctx_params;
OSSL_FUNC_rand_settable_ctx_params_fn *settable_ctx_params;
OSSL_FUNC_rand_get_params_fn *get_params;
OSSL_FUNC_rand_get_ctx_params_fn *get_ctx_params;
OSSL_FUNC_rand_set_ctx_params_fn *set_ctx_params;
OSSL_FUNC_rand_set_callbacks_fn *set_callbacks;
OSSL_FUNC_rand_verify_zeroization_fn *verify_zeroization;
} /* EVP_RAND */ ;
struct evp_keymgmt_st {
int id; /* libcrypto internal */

63
crypto/evp/evp_rand.c
View File

@ -25,6 +25,32 @@
#include "internal/provider.h"
#include "evp_local.h"
struct evp_rand_st {
OSSL_PROVIDER *prov;
int name_id;
CRYPTO_REF_COUNT refcnt;
CRYPTO_RWLOCK *refcnt_lock;
const OSSL_DISPATCH *dispatch;
OSSL_FUNC_rand_newctx_fn *newctx;
OSSL_FUNC_rand_freectx_fn *freectx;
OSSL_FUNC_rand_instantiate_fn *instantiate;
OSSL_FUNC_rand_uninstantiate_fn *uninstantiate;
OSSL_FUNC_rand_generate_fn *generate;
OSSL_FUNC_rand_reseed_fn *reseed;
OSSL_FUNC_rand_nonce_fn *nonce;
OSSL_FUNC_rand_enable_locking_fn *enable_locking;
OSSL_FUNC_rand_lock_fn *lock;
OSSL_FUNC_rand_unlock_fn *unlock;
OSSL_FUNC_rand_gettable_params_fn *gettable_params;
OSSL_FUNC_rand_gettable_ctx_params_fn *gettable_ctx_params;
OSSL_FUNC_rand_settable_ctx_params_fn *settable_ctx_params;
OSSL_FUNC_rand_get_params_fn *get_params;
OSSL_FUNC_rand_get_ctx_params_fn *get_ctx_params;
OSSL_FUNC_rand_set_ctx_params_fn *set_ctx_params;
OSSL_FUNC_rand_verify_zeroization_fn *verify_zeroization;
} /* EVP_RAND */ ;
static int evp_rand_up_ref(void *vrand)
{
EVP_RAND *rand = (EVP_RAND *)vrand;
@ -144,11 +170,6 @@ static void *evp_rand_from_dispatch(int name_id,
break;
rand->nonce = OSSL_FUNC_rand_nonce(fns);
break;
case OSSL_FUNC_RAND_SET_CALLBACKS:
if (rand->set_callbacks != NULL)
break;
rand->set_callbacks = OSSL_FUNC_rand_set_callbacks(fns);
break;
case OSSL_FUNC_RAND_ENABLE_LOCKING:
if (rand->enable_locking != NULL)
break;
@ -579,38 +600,6 @@ int EVP_RAND_state(EVP_RAND_CTX *ctx)
return state;
}
static int evp_rand_set_callbacks_locked(EVP_RAND_CTX *ctx,
OSSL_INOUT_CALLBACK *get_entropy,
OSSL_CALLBACK *cleanup_entropy,
OSSL_INOUT_CALLBACK *get_nonce,
OSSL_CALLBACK *cleanup_nonce,
void *arg)
{
if (ctx->meth->set_callbacks == NULL) {
EVPerr(0, EVP_R_UNABLE_TO_SET_CALLBACKS);
return 0;
}
ctx->meth->set_callbacks(ctx->data, get_entropy, cleanup_entropy,
get_nonce, cleanup_nonce, arg);
return 1;
}
int EVP_RAND_set_callbacks(EVP_RAND_CTX *ctx,
OSSL_INOUT_CALLBACK *get_entropy,
OSSL_CALLBACK *cleanup_entropy,
OSSL_INOUT_CALLBACK *get_nonce,
OSSL_CALLBACK *cleanup_nonce, void *arg)
{
int res;
if (!evp_rand_lock(ctx))
return 0;
res = evp_rand_set_callbacks_locked(ctx, get_entropy, cleanup_entropy,
get_nonce, cleanup_nonce, arg);
evp_rand_unlock(ctx);
return res;
}
static int evp_rand_verify_zeroization_locked(EVP_RAND_CTX *ctx)
{
if (ctx->meth->verify_zeroization != NULL)

2
crypto/rand/build.info
View File

@ -1,6 +1,6 @@
LIBS=../../libcrypto
$COMMON=drbg_lib.c rand_lib.c
$COMMON=rand_lib.c rand_meth.c
$CRYPTO=randfile.c rand_err.c rand_deprecated.c
IF[{- !$disabled{'egd'} -}]

1016
crypto/rand/drbg_lib.c
View File

File diff suppressed because it is too large Load Diff

4
crypto/rand/rand_err.c
View File

@ -79,6 +79,10 @@ static const ERR_STRING_DATA RAND_str_reasons[] = {
"too little nonce requested"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_TOO_MUCH_NONCE_REQUESTED),
"too much nonce requested"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_UNABLE_TO_CREATE_DRBG),
"unable to create drbg"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_UNABLE_TO_FETCH_DRBG),
"unable to fetch drbg"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_UNABLE_TO_GET_PARENT_RESEED_PROP_COUNTER),
"unable to get parent reseed prop counter"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_UNABLE_TO_GET_PARENT_STRENGTH),

285
crypto/rand/rand_lib.c
View File

@ -15,7 +15,9 @@
#include "internal/cryptlib.h"
#include <openssl/opensslconf.h>
#include "crypto/rand.h"
#include "crypto/cryptlib.h"
#include <openssl/engine.h>
#include <openssl/core_names.h>
#include "internal/thread_once.h"
#include "rand_local.h"
#include "e_os.h"
@ -105,16 +107,17 @@ int RAND_poll(void)
{
const RAND_METHOD *meth = RAND_get_rand_method();
int ret = meth == RAND_OpenSSL();
RAND_POOL *pool;
if (meth == NULL)
return 0;
#ifndef OPENSSL_NO_DEPRECATED_3_0
if (!ret) {
/* fill random pool and seed the current legacy RNG */
pool = rand_pool_new(RAND_DRBG_STRENGTH, 1,
(RAND_DRBG_STRENGTH + 7) / 8,
RAND_POOL_MAX_LENGTH);
RAND_POOL *pool = rand_pool_new(RAND_DRBG_STRENGTH, 1,
(RAND_DRBG_STRENGTH + 7) / 8,
RAND_POOL_MAX_LENGTH);
if (pool == NULL)
return 0;
@ -131,6 +134,7 @@ int RAND_poll(void)
err:
rand_pool_free(pool);
}
#endif
return ret;
}
@ -235,15 +239,15 @@ int RAND_pseudo_bytes(unsigned char *buf, int num)
int RAND_status(void)
{
RAND_DRBG *drbg;
EVP_RAND_CTX *rand;
const RAND_METHOD *meth = RAND_get_rand_method();
if (meth != NULL && meth != RAND_OpenSSL())
return meth->status != NULL ? meth->status() : 0;
if ((drbg = RAND_DRBG_get0_master()) == NULL || drbg->rand == NULL)
if ((rand = RAND_get0_primary(NULL)) == NULL)
return EVP_RAND_STATE_UNINITIALISED;
return EVP_RAND_state(drbg->rand) == EVP_RAND_STATE_READY;
return EVP_RAND_state(rand) == EVP_RAND_STATE_READY;
}
#else /* !FIPS_MODULE */
@ -260,7 +264,7 @@ const RAND_METHOD *RAND_get_rand_method(void)
*/
int RAND_priv_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num)
{
RAND_DRBG *drbg;
EVP_RAND_CTX *rand;
const RAND_METHOD *meth = RAND_get_rand_method();
if (meth != NULL && meth != RAND_OpenSSL()) {
@ -270,9 +274,9 @@ int RAND_priv_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num)
return -1;
}
drbg = OPENSSL_CTX_get0_private_drbg(ctx);
if (drbg != NULL)
return RAND_DRBG_bytes(drbg, buf, num);
rand = RAND_get0_private(ctx);
if (rand != NULL)
return EVP_RAND_generate(rand, buf, num, 0, 0, NULL, 0);
return 0;
}
@ -284,7 +288,7 @@ int RAND_priv_bytes(unsigned char *buf, int num)
int RAND_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num)
{
RAND_DRBG *drbg;
EVP_RAND_CTX *rand;
const RAND_METHOD *meth = RAND_get_rand_method();
if (meth != NULL && meth != RAND_OpenSSL()) {
@ -294,9 +298,9 @@ int RAND_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num)
return -1;
}
drbg = OPENSSL_CTX_get0_public_drbg(ctx);
if (drbg != NULL)
return RAND_DRBG_bytes(drbg, buf, num);
rand = RAND_get0_public(ctx);
if (rand != NULL)
return EVP_RAND_generate(rand, buf, num, 0, 0, NULL, 0);
return 0;
}
@ -305,3 +309,254 @@ int RAND_bytes(unsigned char *buf, int num)
{
return RAND_bytes_ex(NULL, buf, num);
}
typedef struct rand_global_st {
/*
* The three shared DRBG instances
*
* There are three shared DRBG instances: <primary>, <public>, and
* <private>. The <public> and <private> DRBGs are secondary ones.
* These are used for non-secret (e.g. nonces) and secret
* (e.g. private keys) data respectively.
*/
CRYPTO_RWLOCK *lock;
/*
* The <primary> DRBG
*
* Not used directly by the application, only for reseeding the two other
* DRBGs. It reseeds itself by pulling either randomness from os entropy
* sources or by consuming randomness which was added by RAND_add().
*
* The <primary> DRBG is a global instance which is accessed concurrently by
* all threads. The necessary locking is managed automatically by its child
* DRBG instances during reseeding.
*/
EVP_RAND_CTX *primary;
/*
* The <public> DRBG
*
* Used by default for generating random bytes using RAND_bytes().
*
* The <public> secondary DRBG is thread-local, i.e., there is one instance
* per thread.
*/
CRYPTO_THREAD_LOCAL public;
/*
* The <private> DRBG
*
* Used by default for generating private keys using RAND_priv_bytes()
*
* The <private> secondary DRBG is thread-local, i.e., there is one
* instance per thread.
*/
CRYPTO_THREAD_LOCAL private;
} RAND_GLOBAL;
/*
* Initialize the OPENSSL_CTX global DRBGs on first use.
* Returns the allocated global data on success or NULL on failure.
*/
static void *rand_ossl_ctx_new(OPENSSL_CTX *libctx)
{
RAND_GLOBAL *dgbl = OPENSSL_zalloc(sizeof(*dgbl));
if (dgbl == NULL)
return NULL;
#ifndef FIPS_MODULE
/*
* We need to ensure that base libcrypto thread handling has been
* initialised.
*/
OPENSSL_init_crypto(0, NULL);
#endif
dgbl->lock = CRYPTO_THREAD_lock_new();
if (dgbl->lock == NULL)
goto err1;
if (!CRYPTO_THREAD_init_local(&dgbl->private, NULL))
goto err1;
if (!CRYPTO_THREAD_init_local(&dgbl->public, NULL))
goto err2;
return dgbl;
err2:
CRYPTO_THREAD_cleanup_local(&dgbl->private);
err1:
CRYPTO_THREAD_lock_free(dgbl->lock);
OPENSSL_free(dgbl);
return NULL;
}
static void rand_ossl_ctx_free(void *vdgbl)
{
RAND_GLOBAL *dgbl = vdgbl;
if (dgbl == NULL)
return;
CRYPTO_THREAD_lock_free(dgbl->lock);
EVP_RAND_CTX_free(dgbl->primary);
CRYPTO_THREAD_cleanup_local(&dgbl->private);
CRYPTO_THREAD_cleanup_local(&dgbl->public);
OPENSSL_free(dgbl);
}
static const OPENSSL_CTX_METHOD rand_drbg_ossl_ctx_method = {
rand_ossl_ctx_new,
rand_ossl_ctx_free,
};
static RAND_GLOBAL *rand_get_global(OPENSSL_CTX *libctx)
{
return openssl_ctx_get_data(libctx, OPENSSL_CTX_DRBG_INDEX,
&rand_drbg_ossl_ctx_method);
}
static void rand_delete_thread_state(void *arg)
{
OPENSSL_CTX *ctx = arg;
RAND_GLOBAL *dgbl = rand_get_global(ctx);
EVP_RAND_CTX *rand;
if (dgbl == NULL)
return;
rand = CRYPTO_THREAD_get_local(&dgbl->public);
CRYPTO_THREAD_set_local(&dgbl->public, NULL);
EVP_RAND_CTX_free(rand);
rand = CRYPTO_THREAD_get_local(&dgbl->private);
CRYPTO_THREAD_set_local(&dgbl->private, NULL);
EVP_RAND_CTX_free(rand);
}
static EVP_RAND_CTX *rand_new_drbg(OPENSSL_CTX *libctx, EVP_RAND_CTX *parent,
unsigned int reseed_interval,
time_t reseed_time_interval)
{
EVP_RAND *rand = EVP_RAND_fetch(libctx, "CTR-DRBG", NULL);
EVP_RAND_CTX *ctx;
OSSL_PARAM params[4], *p = params;
if (rand == NULL) {
RANDerr(0, RAND_R_UNABLE_TO_FETCH_DRBG);
return NULL;
}
ctx = EVP_RAND_CTX_new(rand, parent);
EVP_RAND_free(rand);
if (ctx == NULL) {
RANDerr(0, RAND_R_UNABLE_TO_CREATE_DRBG);
return NULL;
}
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_CIPHER,
"AES-256-CTR", 0);
*p++ = OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS,
&reseed_interval);
*p++ = OSSL_PARAM_construct_time_t(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL,
&reseed_time_interval);
*p = OSSL_PARAM_construct_end();
if (!EVP_RAND_set_ctx_params(ctx, params)) {
RANDerr(0, RAND_R_ERROR_INITIALISING_DRBG);
EVP_RAND_CTX_free(ctx);
ctx = NULL;
}
return ctx;
}
/*
* Get the primary random generator.
* Returns pointer to its EVP_RAND_CTX on success, NULL on failure.
*
*/
EVP_RAND_CTX *RAND_get0_primary(OPENSSL_CTX *ctx)
{
RAND_GLOBAL *dgbl = rand_get_global(ctx);
if (dgbl == NULL)
return NULL;
if (dgbl->primary == NULL) {
if (!CRYPTO_THREAD_write_lock(dgbl->lock))
return NULL;
if (dgbl->primary == NULL)
dgbl->primary = rand_new_drbg(ctx, NULL, PRIMARY_RESEED_INTERVAL,
PRIMARY_RESEED_TIME_INTERVAL);
CRYPTO_THREAD_unlock(dgbl->lock);
}
return dgbl->primary;
}
/*
* Get the public random generator.
* Returns pointer to its EVP_RAND_CTX on success, NULL on failure.
*/
EVP_RAND_CTX *RAND_get0_public(OPENSSL_CTX *ctx)
{
RAND_GLOBAL *dgbl = rand_get_global(ctx);
EVP_RAND_CTX *rand, *primary;
if (dgbl == NULL)
return NULL;
rand = CRYPTO_THREAD_get_local(&dgbl->public);
if (rand == NULL) {
primary = RAND_get0_primary(ctx);
if (primary == NULL)
return NULL;
ctx = openssl_ctx_get_concrete(ctx);
/*
* If the private is also NULL then this is the first time we've
* used this thread.
*/
if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
return NULL;
rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
SECONDARY_RESEED_TIME_INTERVAL);
CRYPTO_THREAD_set_local(&dgbl->public, rand);
}
return rand;
}
/*
* Get the private random generator.
* Returns pointer to its EVP_RAND_CTX on success, NULL on failure.
*/
EVP_RAND_CTX *RAND_get0_private(OPENSSL_CTX *ctx)
{
RAND_GLOBAL *dgbl = rand_get_global(ctx);
EVP_RAND_CTX *rand, *primary;
if (dgbl == NULL)
return NULL;
rand = CRYPTO_THREAD_get_local(&dgbl->private);
if (rand == NULL) {
primary = RAND_get0_primary(ctx);
if (primary == NULL)
return NULL;
ctx = openssl_ctx_get_concrete(ctx);
/*
* If the public is also NULL then this is the first time we've
* used this thread.
*/
if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
return NULL;
rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
SECONDARY_RESEED_TIME_INTERVAL);
CRYPTO_THREAD_set_local(&dgbl->private, rand);
}
return rand;
}

34
crypto/rand/rand_local.h
View File

@ -15,48 +15,16 @@
# include <openssl/sha.h>
# include <openssl/hmac.h>
# include <openssl/ec.h>
# include <openssl/rand_drbg.h>
# include <openssl/rand.h>
# include "internal/tsan_assist.h"
# include "crypto/rand.h"
# include "internal/numbers.h"
/* Maximum reseed intervals */
# define MAX_RESEED_INTERVAL (1 << 24)
# define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */
/* Default reseed intervals */
# define PRIMARY_RESEED_INTERVAL (1 << 8)
# define SECONDARY_RESEED_INTERVAL (1 << 16)
# define PRIMARY_RESEED_TIME_INTERVAL (60 * 60) /* 1 hour */
# define SECONDARY_RESEED_TIME_INTERVAL (7 * 60) /* 7 minutes */
/*
* The state of all types of DRBGs.
*/
struct rand_drbg_st {
CRYPTO_RWLOCK *lock;
/* The library context this DRBG is associated with, if any */
OPENSSL_CTX *libctx;
RAND_DRBG *parent;
int type; /* the nid of the underlying algorithm */
unsigned short flags; /* various external flags */
/* Application data, mainly used in the KATs. */
CRYPTO_EX_DATA ex_data;
/* Implementation */
EVP_RAND_CTX *rand;
/* Callback functions. See comments in rand_lib.c */
RAND_DRBG_get_entropy_fn get_entropy;
RAND_DRBG_cleanup_entropy_fn cleanup_entropy;
RAND_DRBG_get_nonce_fn get_nonce;
RAND_DRBG_cleanup_nonce_fn cleanup_nonce;
void *callback_data;
};
/* The global RAND method, and the global buffer and DRBG instance. */
extern RAND_METHOD rand_meth;

69
crypto/rand/rand_meth.c Normal file
View File

@ -0,0 +1,69 @@
/*
* Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/evp.h>
#include <openssl/rand.h>
#include "rand_local.h"
/* Implements the default OpenSSL RAND_add() method */
static int drbg_add(const void *buf, int num, double randomness)
{
EVP_RAND_CTX *drbg = RAND_get0_primary(NULL);
if (drbg == NULL || num <= 0)
return 0;
return EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
}
/* Implements the default OpenSSL RAND_seed() method */
static int drbg_seed(const void *buf, int num)
{
return drbg_add(buf, num, num);
}
/* Implements the default OpenSSL RAND_status() method */
static int drbg_status(void)
{
EVP_RAND_CTX *drbg = RAND_get0_primary(NULL);
if (drbg == NULL)
return 0;
return EVP_RAND_state(drbg) == EVP_RAND_STATE_READY ? 1 : 0;
}
/* Implements the default OpenSSL RAND_bytes() method */
static int drbg_bytes(unsigned char *out, int count)
{
EVP_RAND_CTX *drbg = RAND_get0_public(NULL);
if (drbg == NULL)
return 0;
return EVP_RAND_generate(drbg, out, count, 0, 0, NULL, 0);
}
RAND_METHOD rand_meth = {
drbg_seed,
drbg_bytes,
NULL,
drbg_add,
drbg_bytes,
drbg_status
};
RAND_METHOD *RAND_OpenSSL(void)
{
#ifndef FIPS_MODULE
return &rand_meth;
#else
return NULL;
#endif
}

1
crypto/rand/randfile.c
View File

@ -16,7 +16,6 @@
#include <openssl/crypto.h>
#include <openssl/rand.h>
#include <openssl/rand_drbg.h>
#include <openssl/buffer.h>
#ifdef OPENSSL_SYS_VMS

4
doc/man1/openssl-rand.pod.in
View File

@ -28,7 +28,7 @@ The random bytes are generated using the L<RAND_bytes(3)> function,
which provides a security level of 256 bits, provided it managed to
seed itself successfully from a trusted operating system entropy source.
Otherwise, the command will fail with a nonzero error code.
For more details, see L<RAND_bytes(3)>, L<RAND(7)>, and L<RAND_DRBG(7)>.
For more details, see L<RAND_bytes(3)>, L<RAND(7)>, and L<EVP_RAND(7)>.
=head1 OPTIONS
@ -63,7 +63,7 @@ Show the output as a hex string.
L<openssl(1)>,
L<RAND_bytes(3)>,
L<RAND(7)>,
L<RAND_DRBG(7)>
L<EVP_RAND(7)>
=head1 HISTORY

3
doc/man3/BIO_get_ex_new_index.pod
View File

@ -10,7 +10,6 @@ ECDH_get_ex_new_index, ECDH_set_ex_data, ECDH_get_ex_data,
EC_KEY_get_ex_new_index, EC_KEY_set_ex_data, EC_KEY_get_ex_data,
ENGINE_get_ex_new_index, ENGINE_set_ex_data, ENGINE_get_ex_data,
EVP_PKEY_get_ex_new_index, EVP_PKEY_set_ex_data, EVP_PKEY_get_ex_data,
RAND_DRBG_set_ex_data, RAND_DRBG_get_ex_data, RAND_DRBG_get_ex_new_index,
RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data,
RSA_set_app_data, RSA_get_app_data,
SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data,
@ -70,8 +69,6 @@ TYPE_set_app_data() is a macro that invokes TYPE_set_ex_data() with
B<idx> set to zero.
TYPE_get_app_data() is a macro that invokes TYPE_get_ex_data() with
B<idx> set to zero.
Note that these functions are not defined for the B<RAND_DRBG> type because
there are no backward compatibility concerns.
=head1 RETURN VALUES

2
doc/man3/BN_rand.pod
View File

@ -82,7 +82,7 @@ L<RAND_add(3)>,
L<RAND_bytes(3)>,
L<RAND_priv_bytes(3)>,
L<RAND(7)>,
L<RAND_DRBG(7)>
L<EVP_RAND(7)>
=head1 HISTORY

1
doc/man3/CRYPTO_get_ex_new_index.pod
View File

@ -50,7 +50,6 @@ The specific structures are:
EC_KEY
ENGINE
EVP_PKEY
RAND_DRBG
RSA
SSL
SSL_CTX

20
doc/man3/EVP_RAND.pod
View File

@ -5,7 +5,7 @@
EVP_RAND, EVP_RAND_fetch, EVP_RAND_free, EVP_RAND_up_ref, EVP_RAND_CTX,
EVP_RAND_CTX_new, EVP_RAND_CTX_free, EVP_RAND_instantiate,
EVP_RAND_uninstantiate, EVP_RAND_generate, EVP_RAND_reseed,
EVP_RAND_nonce, EVP_RAND_enable_locking, EVP_RAND_set_callbacks,
EVP_RAND_nonce, EVP_RAND_enable_locking,
EVP_RAND_verify_zeroization, EVP_RAND_strength, EVP_RAND_state,
EVP_RAND_provider, EVP_RAND_CTX_rand, EVP_RAND_is_a, EVP_RAND_number,
EVP_RAND_name, EVP_RAND_names_do_all, EVP_RAND_get_ctx_params,
@ -57,10 +57,6 @@ EVP_RAND_STATE_ERROR - EVP RAND routines
const unsigned char *addin, size_t addin_len);
int EVP_RAND_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen);
int EVP_RAND_enable_locking(EVP_RAND_CTX *ctx);
int EVP_RAND_set_callbacks(EVP_RAND_CTX *ctx, OSSL_CALLBACK *get_entropy,
OSSL_CALLBACK *cleanup_entropy,
OSSL_CALLBACK *get_nonce,
OSSL_CALLBACK *cleanup_nonce, void *arg);
int EVP_RAND_verify_zeroization(EVP_RAND_CTX *ctx);
unsigned int EVP_RAND_strength(EVP_RAND_CTX *ctx);
int EVP_RAND_state(EVP_RAND_CTX *ctx);
@ -157,12 +153,6 @@ EVP_RAND_enable_locking() enables locking for the RAND I<ctx> and all of
its parents. After this I<ctx> will operate in a thread safe manner, albeit
more slowly.
EVP_RAND_set_callbacks() sets callbacks on the RAND I<ctx> to accept
external entropy and nonce input. The callback I<get_entropy> fills a buffer
with new randomness and the callback I<cleanup_entropy> clears and frees the
buffer. Likewise for I<get_nonce> and I<cleanup_nonce>. In all cases the
callbacks are passed I<arg> in addition to an OSSL_PARAM array.
EVP_RAND_get_params() retrieves details about the implementation
I<rand>.
The set of parameters given with I<params> determine exactly what
@ -198,22 +188,22 @@ See L<OSSL_PARAM(3)> for the use of B<OSSL_PARAM> as parameter descriptor.
EVP_RAND_strength() returns the security strength of the RAND I<ctx>.
EVP_RAND_state() returns the current state of the RAND I<ctx>.
States defined by the OpenSSL DRBGs are:
States defined by the OpenSSL RNGs are:
=over 4
=item *
EVP_RAND_STATE_UNINITIALISED: this DRBG is currently uninitialised.
EVP_RAND_STATE_UNINITIALISED: this RNG is currently uninitialised.
The instantiate call will change this to the ready state.
=item *
EVP_RAND_STATE_READY: this DRBG is currently ready to generate output.
EVP_RAND_STATE_READY: this RNG is currently ready to generate output.
=item *
EVP_RAND_STATE_ERROR: this DRBG is in an error state.
EVP_RAND_STATE_ERROR: this RNG is in an error state.
=back

90
doc/man3/RAND_DRBG_generate.pod
View File

@ -1,90 +0,0 @@
=pod
=head1 NAME
RAND_DRBG_generate,
RAND_DRBG_bytes
- generate random bytes using the given drbg instance
=head1 SYNOPSIS
#include <openssl/rand_drbg.h>
int RAND_DRBG_generate(RAND_DRBG *drbg,
unsigned char *out, size_t outlen,
int prediction_resistance,
const unsigned char *adin, size_t adinlen);
int RAND_DRBG_bytes(RAND_DRBG *drbg,
unsigned char *out, size_t outlen);
=head1 DESCRIPTION
RAND_DRBG_generate() generates B<outlen> random bytes using the given
DRBG instance B<drbg> and stores them in the buffer at B<out>.
Before generating the output, the DRBG instance checks whether the maximum
number of generate requests (I<reseed interval>) or the maximum timespan
(I<reseed time interval>) since its last seeding have been reached.
If this is the case, the DRBG reseeds automatically.
Additionally, an immediate reseeding can be requested by setting the
B<prediction_resistance> flag to 1.
Requesting prediction resistance is a relative expensive operation.
See NOTES section for more details.
The caller can optionally provide additional data to be used for reseeding
by passing a pointer B<adin> to a buffer of length B<adinlen>.
This additional data is mixed into the internal state of the random
generator but does not contribute to the entropy count.
The additional data can be omitted by setting B<adin> to NULL and
B<adinlen> to 0;
RAND_DRBG_bytes() generates B<outlen> random bytes using the given
DRBG instance B<drbg> and stores them in the buffer at B<out>.
This function is a wrapper around the RAND_DRBG_generate() call,
which collects some additional data from low entropy sources
(e.g., a high resolution timer) and calls
RAND_DRBG_generate(drbg, out, outlen, 0, adin, adinlen).
=head1 RETURN VALUES
RAND_DRBG_generate() and RAND_DRBG_bytes() return 1 on success,
and 0 on failure.
=head1 NOTES
The I<reseed interval> and I<reseed time interval> of the B<drbg> are set to
reasonable default values, which in general do not have to be adjusted.
If necessary, they can be changed using L<RAND_DRBG_set_reseed_interval(3)>
and L<RAND_DRBG_set_reseed_time_interval(3)>, respectively.
A request for prediction resistance can only be satisfied by pulling fresh
entropy from a live entropy source (section 5.5.2 of [NIST SP 800-90C]).
It is up to the user to ensure that a live entropy source is configured
and is being used.
=head1 SEE ALSO
L<RAND_bytes(3)>,
L<RAND_DRBG_set_reseed_interval(3)>,
L<RAND_DRBG_set_reseed_time_interval(3)>,
L<RAND_DRBG(7)>
=head1 HISTORY
The RAND_DRBG functions were added in OpenSSL 1.1.1.
Prediction resistance is supported from OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

97
doc/man3/RAND_DRBG_get0_public.pod
View File

@ -1,97 +0,0 @@
=pod
=head1 NAME
OPENSSL_CTX_get0_primary_drbg,
OPENSSL_CTX_get0_public_drbg,
OPENSSL_CTX_get0_private_drbg,
RAND_DRBG_get0_master,
RAND_DRBG_get0_public,
RAND_DRBG_get0_private
- get access to the global RAND_DRBG instances
=head1 SYNOPSIS
#include <openssl/rand_drbg.h>
RAND_DRBG *OPENSSL_CTX_get0_primary_drbg(OPENSSL_CTX *ctx);
RAND_DRBG *OPENSSL_CTX_get0_public_drbg(OPENSSL_CTX *ctx);
RAND_DRBG *OPENSSL_CTX_get0_private_drbg(OPENSSL_CTX *ctx);
RAND_DRBG *RAND_DRBG_get0_master(void);
RAND_DRBG *RAND_DRBG_get0_public(void);
RAND_DRBG *RAND_DRBG_get0_private(void);
=head1 DESCRIPTION
The default RAND API implementation (RAND_OpenSSL()) utilizes three
shared DRBG instances which are accessed via the RAND API:
The I<public> and I<private> DRBG are thread-local instances, which are used
by RAND_bytes() and RAND_priv_bytes(), respectively.
The I<master> DRBG is a global instance, which is not intended to be used
directly, but is used internally to reseed the other two instances.
These functions here provide access to the shared DRBG instances.
=head1 RETURN VALUES
OPENSSL_CTX_get0_primary_drbg() returns a pointer to the I<master> DRBG instance
for the given OPENSSL_CTX B<ctx>.
OPENSSL_CTX_get0_public_drbg() returns a pointer to the I<public> DRBG instance
for the given OPENSSL_CTX B<ctx>.
OPENSSL_CTX_get0_private_drbg() returns a pointer to the I<private> DRBG instance
for the given OPENSSL_CTX B<ctx>.
In all the above cases the B<ctx> parameter can
be NULL in which case the default OPENSSL_CTX is used. RAND_DRBG_get0_master(),
RAND_DRBG_get0_public() and RAND_DRBG_get0_private() are the same as
OPENSSL_CTX_get0_primary_drbg(), OPENSSL_CTX_get0_public_drbg() and
OPENSSL_CTX_get0_private_drbg() respectively except that the default OPENSSL_CTX
is always used.
=head1 NOTES
It is not thread-safe to access the I<master> DRBG instance.
The I<public> and I<private> DRBG instance can be accessed safely, because
they are thread-local. Note however, that changes to these two instances
apply only to the current thread.
For that reason it is recommended not to change the settings of these
three instances directly.
Instead, an application should change the default settings for new DRBG instances
at initialization time, before creating additional threads.
During initialization, it is possible to change the reseed interval
and reseed time interval.
It is also possible to exchange the reseeding callbacks entirely.
=head1 SEE ALSO
L<RAND_DRBG_set_callbacks(3)>,
L<RAND_DRBG_set_reseed_defaults(3)>,
L<RAND_DRBG_set_reseed_interval(3)>,
L<RAND_DRBG_set_reseed_time_interval(3)>,
L<RAND_DRBG_set_callbacks(3)>,
L<RAND_DRBG_generate(3)>,
L<RAND_DRBG(7)>
=head1 HISTORY
The OPENSSL_CTX_get0_primary_drbg(), OPENSSL_CTX_get0_public_drbg() and
OPENSSL_CTX_get0_private_drbg() functions were added in OpenSSL 3.0.
All other RAND_DRBG functions were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

170
doc/man3/RAND_DRBG_new.pod
View File

@ -1,170 +0,0 @@
=pod
=head1 NAME
RAND_DRBG_new_ex,
RAND_DRBG_new,
RAND_DRBG_set,
RAND_DRBG_set_defaults,
RAND_DRBG_instantiate,
RAND_DRBG_uninstantiate,
RAND_DRBG_free,
RAND_DRBG_verify_zeroization
- initialize and cleanup a RAND_DRBG instance
=head1 SYNOPSIS
#include <openssl/rand_drbg.h>
RAND_DRBG *RAND_DRBG_new_ex(OPENSSL_CTX *ctx,
int type,
unsigned int flags,
RAND_DRBG *parent);
RAND_DRBG *RAND_DRBG_new(int type,
unsigned int flags,
RAND_DRBG *parent);
int RAND_DRBG_set_defaults(int type, unsigned int flags);
int RAND_DRBG_instantiate(RAND_DRBG *drbg,
const unsigned char *pers, size_t perslen);
int RAND_DRBG_uninstantiate(RAND_DRBG *drbg);
void RAND_DRBG_free(RAND_DRBG *drbg);
int RAND_DRBG_verify_zeroization(RAND_DRBG *drbg);
Deprecated since OpenSSL 3.0, can be hidden entirely by defining
B<OPENSSL_API_COMPAT> with a suitable version value, see
L<openssl_user_macros(7)>:
int RAND_DRBG_set(RAND_DRBG *drbg,
int type, unsigned int flags);
=head1 DESCRIPTION
RAND_DRBG_new_ex() creates a new DRBG instance of the given B<type> for the
given OPENSSL_CTX <ctx>.
The <ctx> parameter can be NULL in which case the default OPENSSL_CTX is used.
RAND_DRBG_new() is the same as RAND_DRBG_new_ex() except that the default
OPENSSL_CTX is always used.
RAND_DRBG_set() initializes the B<drbg> with the given B<type> and B<flags>.
This function is deprecated. Applications should instead use
RAND_DRBG_new_ex() to create a new DRBG.
RAND_DRBG_set_defaults() sets the default B<type> and B<flags> for new DRBG
instances.
The DRBG types are AES-CTR, HMAC and HASH so B<type> can be one of the
following values:
NID_aes_128_ctr, NID_aes_192_ctr, NID_aes_256_ctr, NID_sha1, NID_sha224,
NID_sha256, NID_sha384, NID_sha512, NID_sha512_224, NID_sha512_256,
NID_sha3_224, NID_sha3_256, NID_sha3_384 or NID_sha3_512.
If this method is not called then the default type is given by NID_aes_256_ctr
and the default flags are zero.
Before the DRBG can be used to generate random bits, it is necessary to set
its type and to instantiate it.
The optional B<flags> argument specifies a set of bit flags which can be
joined using the | operator. The supported flags are:
=over 4
=item RAND_DRBG_FLAG_CTR_NO_DF
Disables the use of the derivation function ctr_df. For an explanation,
see [NIST SP 800-90A Rev. 1].
=item RAND_DRBG_FLAG_HMAC
Enables use of HMAC instead of the HASH DRBG.
=item RAND_DRBG_FLAG_PRIMARY
=item RAND_DRBG_FLAG_PUBLIC
=item RAND_DRBG_FLAG_PRIVATE
These 3 flags can be used to set the individual DRBG types created. Multiple
calls are required to set the types to different values. If none of these 3
flags are used, then the same type and flags are used for all 3 DRBGs in the
B<drbg> chain (<master>, <public> and <private>).
=back
If a B<parent> instance is specified then this will be used instead of
the default entropy source for reseeding the B<drbg>. It is said that the
B<drbg> is I<chained> to its B<parent>.
For more information, see the NOTES section.
RAND_DRBG_instantiate()
seeds the B<drbg> instance using random input from trusted entropy sources.
Optionally, a personalization string B<pers> of length B<perslen> can be
specified.
To omit the personalization string, set B<pers>=NULL and B<perslen>=0;
RAND_DRBG_uninstantiate()
clears the internal state of the B<drbg> and puts it back in the
uninstantiated state.
RAND_DRBG_verify_zeroization() confirms if the internal DRBG state is
currently zeroed.
=head1 RETURN VALUES
RAND_DRBG_new_ex() and RAND_DRBG_new() return a pointer to a DRBG instance
allocated on the heap.
RAND_DRBG_set(),
RAND_DRBG_instantiate(), and
RAND_DRBG_uninstantiate()
return 1 on success, and 0 on failure.
RAND_DRBG_verify_zeroization() returns 1 if the DRBG state is current zeroed,
and 0 if not.
RAND_DRBG_free() does not return a value.
=head1 NOTES
The DRBG design supports I<chaining>, which means that a DRBG instance can
use another B<parent> DRBG instance instead of the default entropy source
to obtain fresh random input for reseeding, provided that B<parent> DRBG
instance was properly instantiated, either from a trusted entropy source,
or from yet another parent DRBG instance.
For a detailed description of the reseeding process, see L<RAND_DRBG(7)>.
The default DRBG type and flags are applied only during creation of a DRBG
instance.
To ensure that they are applied to the global and thread-local DRBG instances
(<master>, resp. <public> and <private>), it is necessary to call
RAND_DRBG_set_defaults() before creating any thread and before calling any
cryptographic routines that obtain random data directly or indirectly.
=head1 SEE ALSO
L<RAND_DRBG_generate(3)>,
L<RAND_DRBG(7)>
=head1 HISTORY
The RAND_DRBG_set() function was deprecated in OpenSSL 3.0.
The RAND_DRBG functions were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

118
doc/man3/RAND_DRBG_reseed.pod
View File

@ -1,118 +0,0 @@
=pod
=head1 NAME
RAND_DRBG_reseed,
RAND_DRBG_set_reseed_interval,
RAND_DRBG_set_reseed_time_interval,
RAND_DRBG_set_reseed_defaults
- reseed a RAND_DRBG instance
=head1 SYNOPSIS
#include <openssl/rand_drbg.h>
int RAND_DRBG_reseed(RAND_DRBG *drbg,
const unsigned char *adin, size_t adinlen,
int prediction_resistance);
int RAND_DRBG_set_reseed_interval(RAND_DRBG *drbg,
unsigned int interval);
int RAND_DRBG_set_reseed_time_interval(RAND_DRBG *drbg,
time_t interval);
int RAND_DRBG_set_reseed_defaults(
unsigned int primary_reseed_interval,
unsigned int secondary_reseed_interval,
time_t primary_reseed_time_interval,
time_t secondary_reseed_time_interval
);
=head1 DESCRIPTION
RAND_DRBG_reseed()
reseeds the given B<drbg>, obtaining entropy input from its entropy source
and mixing in the specified additional data provided in the buffer B<adin>
of length B<adinlen>.
The additional data can be omitted by setting B<adin> to NULL and B<adinlen>
to 0.
An immediate reseeding can be requested by setting the
B<prediction_resistance> flag to 1.
Requesting prediction resistance is a relative expensive operation.
See NOTES section for more details.
RAND_DRBG_set_reseed_interval()
sets the reseed interval of the B<drbg>, which is the maximum allowed number
of generate requests between consecutive reseedings.
If B<interval> > 0, then the B<drbg> will reseed automatically whenever the
number of generate requests since its last seeding exceeds the given reseed
interval.
If B<interval> == 0, then this feature is disabled.
RAND_DRBG_set_reseed_time_interval()
sets the reseed time interval of the B<drbg>, which is the maximum allowed
number of seconds between consecutive reseedings.
If B<interval> > 0, then the B<drbg> will reseed automatically whenever the
elapsed time since its last reseeding exceeds the given reseed time interval.
If B<interval> == 0, then this feature is disabled.
RAND_DRBG_set_reseed_defaults() sets the default values for the reseed interval
(B<primary_reseed_interval> and B<secondary_reseed_interval>)
and the reseed time interval
(B<primary_reseed_time_interval> and B<secondary_reseed_tme_interval>)
of DRBG instances.
The default values are set independently for primary DRBG instances (which don't
have a parent) and secondary DRBG instances (which are chained to a parent
DRBG).
=head1 RETURN VALUES
RAND_DRBG_reseed(),
RAND_DRBG_set_reseed_interval(), and
RAND_DRBG_set_reseed_time_interval(),
return 1 on success, 0 on failure.
=head1 NOTES
The default OpenSSL random generator is already set up for automatic reseeding,
so in general it is not necessary to reseed it explicitly, or to modify
its reseeding thresholds.
Normally, the entropy input for seeding a DRBG is either obtained from a
trusted os entropy source or from a parent DRBG instance, which was seeded
(directly or indirectly) from a trusted os entropy source.
In exceptional cases it is possible to replace the reseeding mechanism entirely
by providing application defined callbacks using RAND_DRBG_set_callbacks().
The reseeding default values are applied only during creation of a DRBG instance.
To ensure that they are applied to the global and thread-local DRBG instances
(<primary>, resp. <public> and <private>), it is necessary to call
RAND_DRBG_set_reseed_defaults() before creating any thread and before calling
any cryptographic routines that obtain random data directly or indirectly.
=head1 SEE ALSO
L<RAND_DRBG_generate(3)>,
L<RAND_DRBG_bytes(3)>,
L<RAND_DRBG_set_callbacks(3)>.
L<RAND_DRBG(7)>
=head1 HISTORY
The RAND_DRBG functions were added in OpenSSL 1.1.1.
Prediction resistance is supported from OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

171
doc/man3/RAND_DRBG_set_callbacks.pod
View File

@ -1,171 +0,0 @@
=pod
=head1 NAME
RAND_DRBG_set_callbacks,
RAND_DRBG_set_callback_data,
RAND_DRBG_get_callback_data,
RAND_DRBG_get_entropy_fn,
RAND_DRBG_cleanup_entropy_fn,
RAND_DRBG_get_nonce_fn,
RAND_DRBG_cleanup_nonce_fn
- set callbacks for reseeding
=head1 SYNOPSIS
#include <openssl/rand_drbg.h>
int RAND_DRBG_set_callbacks(RAND_DRBG *drbg,
RAND_DRBG_get_entropy_fn get_entropy,
RAND_DRBG_cleanup_entropy_fn cleanup_entropy,
RAND_DRBG_get_nonce_fn get_nonce,
RAND_DRBG_cleanup_nonce_fn cleanup_nonce);
int RAND_DRBG_set_callback_data(RAND_DRBG *drbg, void *ctx);
void *RAND_DRBG_get_callback_data(RAND_DRBG *drbg);
=head2 Callback Functions
typedef size_t (*RAND_DRBG_get_entropy_fn)(
RAND_DRBG *drbg,
unsigned char **pout,
int entropy,
size_t min_len, size_t max_len,
int prediction_resistance);
typedef void (*RAND_DRBG_cleanup_entropy_fn)(
RAND_DRBG *drbg,
unsigned char *out, size_t outlen);
typedef size_t (*RAND_DRBG_get_nonce_fn)(
RAND_DRBG *drbg,
unsigned char **pout,
int entropy,
size_t min_len, size_t max_len);
typedef void (*RAND_DRBG_cleanup_nonce_fn)(
RAND_DRBG *drbg,
unsigned char *out, size_t outlen);
=head1 DESCRIPTION
RAND_DRBG_set_callbacks() sets the callbacks for obtaining fresh entropy and
the nonce when reseeding the given B<drbg>.
The callback functions are implemented and provided by the caller.
Their parameter lists need to match the function prototypes above.
RAND_DRBG_set_callback_data() can be used to store a pointer to some context
specific data, which can subsequently be retrieved by the entropy and nonce
callbacks using RAND_DRBG_get_callback_data().
The ownership of the context data remains with the caller, i.e., it is the
caller's responsibility to keep it available as long as it is needed by the
callbacks and free it after use.
For more information about the callback data see the NOTES section.
Setting the callbacks or the callback data is allowed only if the DRBG has
not been initialized yet.
Otherwise, the operation will fail.
To change the settings for one of the three shared DRBGs it is necessary to call
RAND_DRBG_uninstantiate() first.
The B<get_entropy>() callback is called by the B<drbg> when it requests fresh
random input.
It is expected that the callback allocates and fills a random buffer of size
B<min_len> <= size <= B<max_len> (in bytes) which contains at least B<entropy>
bits of randomness.
The B<prediction_resistance> flag indicates whether the reseeding was
triggered by a prediction resistance request.
The buffer's address is to be returned in *B<pout> and the number of collected
randomness bytes as return value.
If the callback fails to acquire at least B<entropy> bits of randomness,
it must indicate an error by returning a buffer length of 0.
If B<prediction_resistance> was requested and the random source of the DRBG
does not satisfy the conditions requested by [NIST SP 800-90C], then
it must also indicate an error by returning a buffer length of 0.
See NOTES section for more details.
The B<cleanup_entropy>() callback is called from the B<drbg> to clear and
free the buffer allocated previously by get_entropy().
The values B<out> and B<outlen> are the random buffer's address and length,
as returned by the get_entropy() callback.
The B<get_nonce>() and B<cleanup_nonce>() callbacks are used to obtain a nonce
and free it again. A nonce is only required for instantiation (not for reseeding)
and only in the case where the DRBG uses a derivation function.
The callbacks are analogous to get_entropy() and cleanup_entropy(),
except for the missing prediction_resistance flag.
If the derivation function is disabled, then no nonce is used for instantiation,
and the B<get_nonce>() and B<cleanup_nonce>() callbacks can be omitted by
setting them to NULL.
=head1 RETURN VALUES
RAND_DRBG_set_callbacks() returns 1 on success, and 0 on failure.
RAND_DRBG_set_callback_data() returns 1 on success, and 0 on failure.
RAND_DRBG_get_callback_data() returns the pointer to the callback data,
which is NULL if none has been set previously.
=head1 NOTES
It is important that B<cleanup_entropy>() and B<cleanup_nonce>() clear the buffer
contents safely before freeing it, in order not to leave sensitive information
about the DRBG's state in memory.
A request for prediction resistance can only be satisfied by pulling fresh
entropy from a live entropy source (section 5.5.2 of [NIST SP 800-90C]).
It is up to the user to ensure that a live entropy source is configured
and is being used.
The derivation function is disabled by calling the RAND_DRBG_new_ex()
function with the RAND_DRBG_FLAG_CTR_NO_DF flag. For more information on
the derivation function and when it can be omitted, see [NIST SP 800-90A
Rev. 1]. Roughly speaking it can be omitted if the random source has "full
entropy", that is, it contains 8 bits of entropy per byte. In a FIPS context,
the derivation function can never be omitted.
Even if a nonce is required, the B<get_nonce>() and B<cleanup_nonce>()
callbacks can be omitted by setting them to NULL.
In this case the DRBG will automatically request an extra amount of entropy
(using the B<get_entropy>() and B<cleanup_entropy>() callbacks) which it will
utilize for the nonce, following the recommendations of [NIST SP 800-90A Rev. 1],
section 8.6.7.
The callback data is a rather specialized feature, because in general the
random sources don't (and in fact, they must not) depend on any state provided
by the DRBG.
There are however exceptional cases where this feature is useful, most notably
for implementing known answer tests (KATs) or deterministic signatures like
those specified in RFC6979, which require passing a specified entropy and nonce
for instantiating the DRBG.
=head1 SEE ALSO
L<RAND_DRBG_new(3)>,
L<RAND_DRBG_reseed(3)>,
L<RAND_DRBG(7)>
=head1 HISTORY
The RAND_DRBG functions were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

4
doc/man3/RAND_add.pod
View File

@ -58,7 +58,7 @@ should consider using L<RAND_load_file(3)> instead.
NOTE: In FIPS mode, random data provided by the application is not considered to
be a trusted entropy source. It is mixed into the internal state of the RNG as
additional data only and this does not count as a full reseed.
For more details, see L<RAND_DRBG(7)>.
For more details, see L<EVP_RAND(7)>.
RAND_seed() is equivalent to RAND_add() with B<randomness> set to B<num>.
@ -92,7 +92,7 @@ L<RAND_bytes(3)>,
L<RAND_egd(3)>,
L<RAND_load_file(3)>,
L<RAND(7)>
L<RAND_DRBG(7)>
L<EVP_RAND(7)>
=head1 HISTORY

4
doc/man3/RAND_bytes.pod
View File

@ -31,7 +31,7 @@ be used for generating values that should remain private. If using the
default RAND_METHOD, this function uses a separate "private" PRNG
instance so that a compromise of the "public" PRNG instance will not
affect the secrecy of these private values, as described in L<RAND(7)>
and L<RAND_DRBG(7)>.
and L<EVP_RAND(7)>.
RAND_bytes_ex() and RAND_priv_bytes_ex() are the same as RAND_bytes() and
RAND_priv_bytes() except that they both take an additional I<ctx> parameter.
@ -75,7 +75,7 @@ L<RAND_bytes(3)>,
L<RAND_priv_bytes(3)>,
L<ERR_get_error(3)>,
L<RAND(7)>,
L<RAND_DRBG(7)>
L<EVP_RAND(7)>
=head1 HISTORY

78
doc/man3/RAND_get0_primary.pod Normal file
View File

@ -0,0 +1,78 @@
=pod
=head1 NAME
RAND_get0_primary,
RAND_get0_public,
RAND_get0_private
- get access to the global EVP_RAND_CTX instances
=head1 SYNOPSIS
#include <openssl/rand.h>
EVP_RAND_CTX *RAND_get0_primary(OPENSSL_CTX *ctx);
EVP_RAND_CTX *RAND_get0_public(OPENSSL_CTX *ctx);
EVP_RAND_CTX *RAND_get0_private(OPENSSL_CTX *ctx);
=head1 DESCRIPTION
The default RAND API implementation (RAND_OpenSSL()) utilizes three
shared DRBG instances which are accessed via the RAND API:
The I<public> and I<private> DRBG are thread-local instances, which are used
by RAND_bytes() and RAND_priv_bytes(), respectively.
The I<primary> DRBG is a global instance, which is not intended to be used
directly, but is used internally to reseed the other two instances.
These functions here provide access to the shared DRBG instances.
=head1 RETURN VALUES
RAND_get0_primary() returns a pointer to the I<primary> DRBG instance
for the given OPENSSL_CTX B<ctx>.
RAND_get0_public() returns a pointer to the I<public> DRBG instance
for the given OPENSSL_CTX B<ctx>.
RAND_get0_private() returns a pointer to the I<private> DRBG instance
for the given OPENSSL_CTX B<ctx>.
In all the above cases the B<ctx> parameter can
be NULL in which case the default OPENSSL_CTX is used.
=head1 NOTES
It is not thread-safe to access the I<primary> DRBG instance.
The I<public> and I<private> DRBG instance can be accessed safely, because
they are thread-local. Note however, that changes to these two instances
apply only to the current thread.
For that reason it is recommended not to change the settings of these
three instances directly.
Instead, an application should change the default settings for new DRBG instances
at initialization time, before creating additional threads.
During initialization, it is possible to change the reseed interval
and reseed time interval.
It is also possible to exchange the reseeding callbacks entirely.
=head1 SEE ALSO
L<EVP_RAND(3)>
=head1 HISTORY
These functions were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

111
doc/man7/RAND_DRBG.pod → doc/man7/EVP_RAND.pod
View File

@ -2,30 +2,31 @@
=head1 NAME
RAND_DRBG - the deterministic random bit generator
EVP_RAND - the random bit generator
=head1 SYNOPSIS
#include <openssl/rand_drbg.h>
#include <openssl/evp.h>
#include <rand.h>
=head1 DESCRIPTION
The default OpenSSL RAND method is based on the RAND_DRBG class,
which implements a deterministic random bit generator (DRBG).
The default OpenSSL RAND method is based on the EVP_RAND classes to provide
non-deterministic inputs to other cryptographic algorithms.
While the RAND API is the 'frontend' which is intended to be used by
application developers for obtaining random bytes, the EVP_RAND API
serves as the 'backend', connecting the former with the operating
systems's entropy sources and providing access to deterministic random
bit generators (DRBG) and their configuration parameters.
A DRBG is a certain type of cryptographically-secure pseudo-random
number generator (CSPRNG), which is described in
[NIST SP 800-90A Rev. 1].
While the RAND API is the 'frontend' which is intended to be used by
application developers for obtaining random bytes, the RAND_DRBG API
serves as the 'backend', connecting the former with the operating
systems's entropy sources and providing access to the DRBG's
configuration parameters.
=head2 Disclaimer
Unless you have very specific requirements for your random generator,
it is in general not necessary to utilize the RAND_DRBG API directly.
it is in general not necessary to utilize the EVP_RAND API directly.
The usual way to obtain random bytes is to use L<RAND_bytes(3)> or
L<RAND_priv_bytes(3)>, see also L<RAND(7)>.
@ -46,6 +47,8 @@ to be locked).
=item *
You need to integrate a previously unsupported entropy source.
Refer to L<provider-rand(7)> for the implementation details to support adding
randomness sources to EVP_RAND.
=item *
@ -55,30 +58,33 @@ implementation to meet specific requirements.
=back
=head1 CHAINING
=head1 EVP_RAND CHAINING
A DRBG instance can be used as the entropy source of another DRBG instance,
provided it has itself access to a valid entropy source.
The DRBG instance which acts as entropy source is called the I<parent> DRBG,
the other instance the I<child> DRBG.
An EVP_RAND instance can be used as the entropy source of another
EVP_RAND instance, provided it has itself access to a valid entropy source.
The EVP_RAND instance which acts as entropy source is called the I<parent>,
the other instance the I<child>. Typically, the child will be a DRBG because
it does not make sense for the child to be an entropy source.
This is called chaining. A chained DRBG instance is created by passing
a pointer to the parent DRBG as argument to the RAND_DRBG_new() call.
This is called chaining. A chained EVP_RAND instance is created by passing
a pointer to the parent EVP_RAND_CTX as argument to the EVP_RAND_CTX_new() call.
It is possible to create chains of more than two DRBG in a row.
It is also possible to use any EVP_RAND_CTX class as the parent, however, only
a live entropy source may ignore and not use its parent.
=head1 THE THREE SHARED DRBG INSTANCES
Currently, there are three shared DRBG instances,
the <master>, <public>, and <private> DRBG.
While the <master> DRBG is a single global instance, the <public> and <private>
the <primary>, <public>, and <private> DRBG.
While the <primary> DRBG is a single global instance, the <public> and <private>
DRBG are created per thread and accessed through thread-local storage.
By default, the functions L<RAND_bytes(3)> and L<RAND_priv_bytes(3)> use
the thread-local <public> and <private> DRBG instance, respectively.
=head2 The <master> DRBG instance
=head2 The <primary> DRBG instance
The <master> DRBG is not used directly by the application, only for reseeding
The <primary> DRBG is not used directly by the application, only for reseeding
the two other two DRBG instances. It reseeds itself by obtaining randomness
either from os entropy sources or by consuming randomness which was added
previously by L<RAND_add(3)>.
@ -94,18 +100,16 @@ This instance is used per default by L<RAND_priv_bytes(3)>
=head1 LOCKING
The <master> DRBG is intended to be accessed concurrently for reseeding
The <primary> DRBG is intended to be accessed concurrently for reseeding
by its child DRBG instances. The necessary locking is done internally.
It is I<not> thread-safe to access the <master> DRBG directly via the
RAND_DRBG interface.
It is I<not> thread-safe to access the <primary> DRBG directly via the
EVP_RAND interface.
The <public> and <private> DRBG are thread-local, i.e. there is an
instance of each per thread. So they can safely be accessed without
locking via the RAND_DRBG interface.
locking via the EVP_RAND interface.
Pointers to these DRBG instances can be obtained using
RAND_DRBG_get0_master(),
RAND_DRBG_get0_public(), and
RAND_DRBG_get0_private(), respectively.
RAND_get0_primary(), RAND_get0_public() and RAND_get0_private(), respectively.
Note that it is not allowed to store a pointer to one of the thread-local
DRBG instances in a variable or other memory location where it will be
accessed and used by multiple threads.
@ -114,9 +118,9 @@ All other DRBG instances created by an application don't support locking,
because they are intended to be used by a single thread.
Instead of accessing a single DRBG instance concurrently from different
threads, it is recommended to instantiate a separate DRBG instance per
thread. Using the <master> DRBG as entropy source for multiple DRBG
thread. Using the <primary> DRBG as entropy source for multiple DRBG
instances on different threads is thread-safe, because the DRBG instance
will lock the <master> DRBG automatically for obtaining random input.
will lock the <primary> DRBG automatically for obtaining random input.
=head1 THE OVERALL PICTURE
@ -128,7 +132,7 @@ together and are being used.
+--------------------+
|
v +-----------------------------+
RAND_add() ==> <master> <-| shared DRBG (with locking) |
RAND_add() ==> <primary> <-| shared DRBG (with locking) |
/ \ +-----------------------------+
/ \ +---------------------------+
<public> <private> <- | per-thread DRBG instances |
@ -145,10 +149,9 @@ together and are being used.
The usual way to obtain random bytes is to call RAND_bytes(...) or
RAND_priv_bytes(...). These calls are roughly equivalent to calling
RAND_DRBG_bytes(<public>, ...) and RAND_DRBG_bytes(<private>, ...),
respectively. The method L<RAND_DRBG_bytes(3)> is a convenience method
wrapping the L<RAND_DRBG_generate(3)> function, which serves the actual
request for random data.
EVP_RAND_generate(<public>, ...) and
EVP_RAND_generate(<private>, ...),
respectively.
=head1 RESEEDING
@ -163,7 +166,7 @@ the reseeding process in more detail.
=head2 Automatic Reseeding
Before satisfying a generate request (L<RAND_DRBG_generate(3)>), the DRBG
Before satisfying a generate request (L<EVP_RAND_generate(3)>), the DRBG
reseeds itself automatically, if one of the following conditions holds:
- the DRBG was not instantiated (=seeded) yet or has been uninstantiated.
@ -187,7 +190,8 @@ from the error as soon as the entropy source is available again.
In addition to automatic reseeding, the caller can request an immediate
reseeding of the DRBG with fresh entropy by setting the
I<prediction resistance> parameter to 1 when calling L<RAND_DRBG_generate(3)>.
I<prediction resistance> parameter to 1 when calling
L<EVP_RAND_generate(3)>.
The document [NIST SP 800-90C] describes prediction resistance requests
in detail and imposes strict conditions on the entropy sources that are
@ -197,13 +201,12 @@ entropy from a live entropy source (section 5.5.2 of [NIST SP 800-90C]).
It is up to the user to ensure that a live entropy source is configured
and is being used.
For the three shared DRBGs (and only for these) there is another way to
reseed them manually:
If L<RAND_add(3)> is called with a positive I<randomness> argument
(or L<RAND_seed(3)>), then this will immediately reseed the <master> DRBG.
(or L<RAND_seed(3)>), then this will immediately reseed the <primary> DRBG.
The <public> and <private> DRBG will detect this on their next generate
call and reseed, pulling randomness from <master>.
call and reseed, pulling randomness from <primary>.
The last feature has been added to support the common practice used with
previous OpenSSL versions to call RAND_add() before calling RAND_bytes().
@ -216,23 +219,22 @@ which comes from a trusted source, and I<additional input>',
which can optionally be added by the user and is considered untrusted.
It is possible to add I<additional input> not only during reseeding,
but also for every generate request.
This is in fact done automatically by L<RAND_DRBG_bytes(3)>.
=head2 Configuring the Random Seed Source
In most cases OpenSSL will automatically choose a suitable seed source
for automatically seeding and reseeding its <master> DRBG. In some cases
for automatically seeding and reseeding its <primary> DRBG. In some cases
however, it will be necessary to explicitly specify a seed source during
configuration, using the --with-rand-seed option. For more information,
see the INSTALL instructions. There are also operating systems where no
seed source is available and automatic reseeding is disabled by default.
The following two sections describe the reseeding process of the master
The following two sections describe the reseeding process of the primary
DRBG, depending on whether automatic reseeding is available or not.
=head2 Reseeding the master DRBG with automatic seeding enabled
=head2 Reseeding the primary DRBG with automatic seeding enabled
Calling RAND_poll() or RAND_add() is not necessary, because the DRBG
pulls the necessary entropy from its source automatically.
@ -271,7 +273,7 @@ reseeding (Section 9.2). For that reason, the I<randomness>
argument is ignored and the random bytes provided by the L<RAND_add(3)> and
L<RAND_seed(3)> calls are treated as additional data.
=head2 Reseeding the master DRBG with automatic seeding disabled
=head2 Reseeding the primary DRBG with automatic seeding disabled
Calling RAND_poll() will always fail.
@ -286,20 +288,15 @@ I<security strength> of the DRBG, which is set to 256 by default.
=head1 SEE ALSO
L<RAND_DRBG_bytes(3)>,
L<RAND_DRBG_generate(3)>,
L<RAND_DRBG_reseed(3)>,
L<RAND_DRBG_get0_master(3)>,
L<RAND_DRBG_get0_public(3)>,
L<RAND_DRBG_get0_private(3)>,
L<RAND_DRBG_set_reseed_interval(3)>,
L<RAND_DRBG_set_reseed_time_interval(3)>,
L<RAND_DRBG_set_reseed_defaults(3)>,
L<RAND(7)>,
L<RAND(7)>, L<EVP_RAND(3)>
=head1 HISTORY
This functionality was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

35
doc/man7/RAND.pod
View File

@ -33,11 +33,12 @@ is available or the trusted source(s) temporarily fail to provide sufficient
random seed material.
In this case the CSPRNG enters an error state and ceases to provide output,
until it is able to recover from the error by reseeding itself.
For more details on reseeding and error recovery, see L<RAND_DRBG(7)>.
For more details on reseeding and error recovery, see L<EVP_RAND(7)>.
For values that should remain secret, you can use L<RAND_priv_bytes(3)>
instead.
This method does not provide 'better' randomness, it uses the same type of CSPRNG.
This method does not provide 'better' randomness, it uses the same type of
CSPRNG.
The intention behind using a dedicated CSPRNG exclusively for private
values is that none of its output should be visible to an attacker (e.g.,
used as salt value), in order to reveal as little information as
@ -45,35 +46,31 @@ possible about its internal state, and that a compromise of the "public"
CSPRNG instance will not affect the secrecy of these private values.
In the rare case where the default implementation does not satisfy your special
requirements, there are two options:
requirements, the default RAND method can be replaced by your own RAND
method using L<RAND_set_rand_method(3)>.
=over 2
Changing the default random generator should be necessary
only in exceptional cases and is not recommended, unless you have a profound
knowledge of cryptographic principles and understand the implications of your
changes.
=item *
=head1 DEAFULT SETUP
Replace the default RAND method by your own RAND method using
L<RAND_set_rand_method(3)>.
The default OpenSSL RAND method is based on the EVP_RAND deterministic random
bit generator (DRBG) classes.
A DRBG is a certain type of cryptographically-secure pseudo-random
number generator (CSPRNG), which is described in [NIST SP 800-90A Rev. 1].
=item *
Modify the default settings of the OpenSSL RAND method by modifying the security
parameters of the underlying DRBG, which is described in detail in L<RAND_DRBG(7)>.
=back
Changing the default random generator or its default parameters should be necessary
only in exceptional cases and is not recommended, unless you have a profound knowledge
of cryptographic principles and understand the implications of your changes.
=head1 SEE ALSO
L<RAND_add(3)>,
L<RAND_bytes(3)>,
L<RAND_priv_bytes(3)>,
L<RAND_get_rand_method(3)>,
L<RAND_set_rand_method(3)>,
L<RAND_OpenSSL(3)>,
L<RAND_DRBG(7)>
L<EVP_RAND(3)>,
L<RAND_get0_primary(3)>
=head1 COPYRIGHT

14
doc/man7/provider-rand.pod
View File

@ -38,10 +38,6 @@ functions
/* Random number generator functions: additional */
size_t OSSL_FUNC_rand_nonce(void *ctx, unsigned char *out, size_t outlen,
int strength, size_t min_noncelen, size_t max_noncelen);
void OSSL_FUNC_rand_set_callbacks(void *ctx, OSSL_CALLBACK *get_entropy,
OSSL_CALLBACK *cleanup_entropy,
OSSL_CALLBACK *get_nonce,
OSSL_CALLBACK *cleanup_nonce, void *arg);
int OSSL_FUNC_rand_verify_zeroization(void *ctx);
/* Context Locking */
@ -114,14 +110,6 @@ OSSL_FUNC_rand_nonce() is used to generate a nonce of the given I<strength> with
length from I<min_noncelen> to I<max_noncelen>. If the output buffer I<out> is
NULL, the length of the nonce should be returned.
OSSL_FUNC_rand_set_callbacks() is used to supply custom entropy and nonce callbacks.
Instead of gathering seed material from its usual sources, the DRBG I<ctx>
should call these functions.
The I<get_entropy> and I<cleanup_entropy> callbacks obtain and release bytes
of entropy.
The I<get_nonce> and I<cleanup_nonce> functions obtain and release nonce bytes.
In all cases, the additional argument I<arg> is passed to the callbacks.
OSSL_FUNC_rand_verify_zeroization() is used to determine if the internal state of the
DRBG is zero. This capability is mandated by NIST as part of the self
tests, it is unlikely to be useful in other circumstances.
@ -258,7 +246,7 @@ All of the remaining functions should return 1 for success or 0 on error.
L<provider(7)>,
L<RAND(7)>,
L<RAND_DRBG(7)>
L<EVP_RAND(7)>
=head1 HISTORY

3
include/openssl/core_dispatch.h
View File

@ -374,8 +374,7 @@ OSSL_CORE_MAKE_FUNC(int, kdf_set_ctx_params,
# define OSSL_FUNC_RAND_GET_PARAMS 14
# define OSSL_FUNC_RAND_GET_CTX_PARAMS 15
# define OSSL_FUNC_RAND_SET_CTX_PARAMS 16
# define OSSL_FUNC_RAND_SET_CALLBACKS 17
# define OSSL_FUNC_RAND_VERIFY_ZEROIZATION 18
# define OSSL_FUNC_RAND_VERIFY_ZEROIZATION 17
OSSL_CORE_MAKE_FUNC(void *,rand_newctx,
(void *provctx, void *parent,

6
include/openssl/evp.h
View File

@ -1160,11 +1160,7 @@ int EVP_RAND_reseed(EVP_RAND_CTX *ctx, int prediction_resistance,
const unsigned char *addin, size_t addin_len);
__owur int EVP_RAND_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen);
__owur int EVP_RAND_enable_locking(EVP_RAND_CTX *ctx);
int EVP_RAND_set_callbacks(EVP_RAND_CTX *ctx,
OSSL_INOUT_CALLBACK *get_entropy,
OSSL_CALLBACK *cleanup_entropy,
OSSL_INOUT_CALLBACK *get_nonce,
OSSL_CALLBACK *cleanup_nonce, void *arg);
int EVP_RAND_verify_zeroization(EVP_RAND_CTX *ctx);
unsigned int EVP_RAND_strength(EVP_RAND_CTX *ctx);
int EVP_RAND_state(EVP_RAND_CTX *ctx);

15
include/openssl/rand.h
View File

@ -20,11 +20,22 @@
# include <openssl/types.h>
# include <openssl/e_os2.h>
# include <openssl/randerr.h>
# include <openssl/evp.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
* Default security strength (in the sense of [NIST SP 800-90Ar1])
*
* NIST SP 800-90Ar1 supports the strength of the DRBG being smaller than that
* of the cipher by collecting less entropy. The current DRBG implementation
* does not take RAND_DRBG_STRENGTH into account and sets the strength of the
* DRBG to that of the cipher.
*/
# define RAND_DRBG_STRENGTH 256
struct rand_meth_st {
int (*seed) (const void *buf, int num);
int (*bytes) (unsigned char *buf, int num);
@ -56,6 +67,10 @@ int RAND_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num);
DEPRECATEDIN_1_1_0(int RAND_pseudo_bytes(unsigned char *buf, int num))
EVP_RAND_CTX *RAND_get0_primary(OPENSSL_CTX *ctx);
EVP_RAND_CTX *RAND_get0_public(OPENSSL_CTX *ctx);
EVP_RAND_CTX *RAND_get0_private(OPENSSL_CTX *ctx);
void RAND_seed(const void *buf, int num);
void RAND_keep_random_devices_open(int keep);

168
include/openssl/rand_drbg.h
View File

@ -1,168 +0,0 @@
/*
* Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef OPENSSL_RAND_DRBG_H
# define OPENSSL_RAND_DRBG_H
# pragma once
# include <openssl/macros.h>
# ifndef OPENSSL_NO_DEPRECATED_3_0
# define HEADER_DRBG_RAND_H
# endif
# include <time.h>
# include <openssl/types.h>
# include <openssl/obj_mac.h>
/*
* RAND_DRBG flags
*
* Note: if new flags are added, the constant `rand_drbg_used_flags`
* in drbg_lib.c needs to be updated accordingly.
*/
/* In CTR mode, disable derivation function ctr_df */
# define RAND_DRBG_FLAG_CTR_NO_DF 0x1
/*
* This flag is only used when a digest NID is specified (i.e: not a CTR cipher)
* Selects DRBG_HMAC if this is set otherwise use DRBG_HASH.
*/
# define RAND_DRBG_FLAG_HMAC 0x2
/* Used by RAND_DRBG_set_defaults() to set the primary DRBG type and flags. */
# define RAND_DRBG_FLAG_PRIMARY 0x4
/* Used by RAND_DRBG_set_defaults() to set the public DRBG type and flags. */
# define RAND_DRBG_FLAG_PUBLIC 0x8
/* Used by RAND_DRBG_set_defaults() to set the private DRBG type and flags. */
# define RAND_DRBG_FLAG_PRIVATE 0x10
# ifndef OPENSSL_NO_DEPRECATED_3_0
/* This #define was replaced by an internal constant and should not be used. */
# define RAND_DRBG_USED_FLAGS (RAND_DRBG_FLAG_CTR_NO_DF)
# endif
/*
* Default security strength (in the sense of [NIST SP 800-90Ar1])
*
* NIST SP 800-90Ar1 supports the strength of the DRBG being smaller than that
* of the cipher by collecting less entropy. The current DRBG implementation
* does not take RAND_DRBG_STRENGTH into account and sets the strength of the
* DRBG to that of the cipher.
*
* RAND_DRBG_STRENGTH is currently only used for the legacy RAND
* implementation.
*
* Currently supported ciphers are: NID_aes_128_ctr, NID_aes_192_ctr and
* NID_aes_256_ctr.
* The digest types for DRBG_hash or DRBG_hmac are: NID_sha1, NID_sha224,
* NID_sha256, NID_sha384, NID_sha512, NID_sha512_224, NID_sha512_256,
* NID_sha3_224, NID_sha3_256, NID_sha3_384 and NID_sha3_512.
*/
# define RAND_DRBG_STRENGTH 256
/* Default drbg type */
# define RAND_DRBG_TYPE NID_aes_256_ctr
/* Default drbg flags */
# define RAND_DRBG_FLAGS 0
# ifdef __cplusplus
extern "C" {
# endif
/*
* Object lifetime functions.
*/
RAND_DRBG *RAND_DRBG_new_ex(OPENSSL_CTX *ctx, int type, unsigned int flags,
RAND_DRBG *parent);
RAND_DRBG *RAND_DRBG_new(int type, unsigned int flags, RAND_DRBG *parent);
DEPRECATEDIN_3_0(int RAND_DRBG_set(RAND_DRBG *drbg, int type,
unsigned int flags))
int RAND_DRBG_set_defaults(int type, unsigned int flags);
int RAND_DRBG_instantiate(RAND_DRBG *drbg,
const unsigned char *pers, size_t perslen);
int RAND_DRBG_uninstantiate(RAND_DRBG *drbg);
void RAND_DRBG_free(RAND_DRBG *drbg);
/*
* Object "use" functions.
*/
int RAND_DRBG_reseed(RAND_DRBG *drbg,
const unsigned char *adin, size_t adinlen,
int prediction_resistance);
int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
int prediction_resistance,
const unsigned char *adin, size_t adinlen);
int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen);
int RAND_DRBG_set_reseed_interval(RAND_DRBG *drbg, unsigned int interval);
int RAND_DRBG_set_reseed_time_interval(RAND_DRBG *drbg, time_t interval);
int RAND_DRBG_set_reseed_defaults(
unsigned int primary_reseed_interval,
unsigned int secondary_reseed_interval,
time_t primary_reseed_time_interval,
time_t secondary_reseed_time_interval
);
RAND_DRBG *OPENSSL_CTX_get0_primary_drbg(OPENSSL_CTX *ctx);
RAND_DRBG *OPENSSL_CTX_get0_public_drbg(OPENSSL_CTX *ctx);
RAND_DRBG *OPENSSL_CTX_get0_private_drbg(OPENSSL_CTX *ctx);
RAND_DRBG *RAND_DRBG_get0_master(void);
RAND_DRBG *RAND_DRBG_get0_public(void);
RAND_DRBG *RAND_DRBG_get0_private(void);
# ifndef OPENSSL_NO_DEPRECATED_3_0
/* Retain legacy deprecated names */
# define RAND_DRBG_FLAG_MASTER RAND_DRBG_FLAG_PRIMARY
# define OPENSSL_CTX_get0_master_drbg OPENSSL_CTX_get0_primary_drbg
# define RAND_DRBG_get0_master RAND_DRBG_get0_master
# endif
/*
* EXDATA
*/
# define RAND_DRBG_get_ex_new_index(l, p, newf, dupf, freef) \
CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RAND_DRBG, l, p, newf, dupf, freef)
int RAND_DRBG_set_ex_data(RAND_DRBG *drbg, int idx, void *arg);
void *RAND_DRBG_get_ex_data(const RAND_DRBG *drbg, int idx);
/*
* Callback function typedefs
*/
typedef size_t (*RAND_DRBG_get_entropy_fn)(RAND_DRBG *drbg,
unsigned char **pout,
int entropy, size_t min_len,
size_t max_len,
int prediction_resistance);
typedef void (*RAND_DRBG_cleanup_entropy_fn)(RAND_DRBG *ctx,
unsigned char *out, size_t outlen);
typedef size_t (*RAND_DRBG_get_nonce_fn)(RAND_DRBG *drbg, unsigned char **pout,
int entropy, size_t min_len,
size_t max_len);
typedef void (*RAND_DRBG_cleanup_nonce_fn)(RAND_DRBG *drbg,
unsigned char *out, size_t outlen);
int RAND_DRBG_set_callbacks(RAND_DRBG *drbg,
RAND_DRBG_get_entropy_fn get_entropy,
RAND_DRBG_cleanup_entropy_fn cleanup_entropy,
RAND_DRBG_get_nonce_fn get_nonce,
RAND_DRBG_cleanup_nonce_fn cleanup_nonce);
int RAND_DRBG_set_callback_data(RAND_DRBG *drbg, void *data);
void *RAND_DRBG_get_callback_data(RAND_DRBG *drbg);
int RAND_DRBG_verify_zeroization(RAND_DRBG *drbg);
# ifdef __cplusplus
}
# endif
#endif

2
include/openssl/randerr.h
View File

@ -98,6 +98,8 @@ int ERR_load_RAND_strings(void);
# define RAND_R_SELFTEST_FAILURE 119
# define RAND_R_TOO_LITTLE_NONCE_REQUESTED 135
# define RAND_R_TOO_MUCH_NONCE_REQUESTED 136
# define RAND_R_UNABLE_TO_CREATE_DRBG 143
# define RAND_R_UNABLE_TO_FETCH_DRBG 144
# define RAND_R_UNABLE_TO_GET_PARENT_RESEED_PROP_COUNTER 141
# define RAND_R_UNABLE_TO_GET_PARENT_STRENGTH 138
# define RAND_R_UNABLE_TO_GET_RESEED_PROP_CTR 142

4
providers/fips/fipsprov.c
View File

@ -12,7 +12,7 @@
#include <openssl/params.h>
#include <openssl/obj_mac.h> /* NIDs used by ossl_prov_util_nid_to_name() */
#include <openssl/fips_names.h>
#include <openssl/rand_drbg.h> /* OPENSSL_CTX_get0_public_drbg() */
#include <openssl/rand.h> /* RAND_get0_public() */
#include "internal/cryptlib.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
@ -642,7 +642,7 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
}
/* TODO(3.0): Tests will hang if this is removed */
(void)OPENSSL_CTX_get0_public_drbg(libctx);
(void)RAND_get0_public(libctx);
*out = fips_dispatch_table;
return 1;

2
providers/implementations/include/prov/rand_pool.h
View File

@ -11,7 +11,7 @@
# define OSSL_PROVIDER_RAND_POOL_H
# include <stdio.h>
# include <openssl/rand_drbg.h>
# include <openssl/rand.h>
/*
* Maximum allocation size for RANDOM_POOL buffers

89
providers/implementations/rands/drbg.c
View File

@ -228,19 +228,7 @@ err:
static void prov_drbg_cleanup_entropy(PROV_DRBG *drbg,
unsigned char *out, size_t outlen)
{
OSSL_PARAM params[3], *p = params;
if (drbg->get_entropy_fn != NULL) {
if (drbg->cleanup_entropy_fn != NULL) {
*p++ = OSSL_PARAM_construct_size_t(OSSL_DRBG_PARAM_SIZE,
&outlen);
*p++ = OSSL_PARAM_construct_octet_ptr(OSSL_DRBG_PARAM_RANDOM_DATA,
(void **)&out, 0);
*p = OSSL_PARAM_construct_end();
drbg->cleanup_entropy_fn(params, drbg->callback_arg);
}
} else if (drbg->seed_pool == NULL) {
if (drbg->seed_pool == NULL) {
OPENSSL_secure_clear_free(out, outlen);
}
}
@ -249,28 +237,6 @@ static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
size_t min_len, size_t max_len,
int prediction_resistance)
{
if (drbg->get_entropy_fn != NULL) {
OSSL_PARAM params[6], *p = params;
OSSL_PARAM out[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
*p++ = OSSL_PARAM_construct_int(OSSL_DRBG_PARAM_ENTROPY_REQUIRED,
&entropy);
*p++ = OSSL_PARAM_construct_int(OSSL_DRBG_PARAM_PREDICTION_RESISTANCE,
&prediction_resistance);
*p++ = OSSL_PARAM_construct_size_t(OSSL_DRBG_PARAM_MIN_LENGTH,
&min_len);
*p++ = OSSL_PARAM_construct_size_t(OSSL_DRBG_PARAM_MAX_LENGTH,
&max_len);
*p = OSSL_PARAM_construct_end();
*out = OSSL_PARAM_construct_octet_ptr(OSSL_DRBG_PARAM_RANDOM_DATA,
(void **)pout, 0);
if (drbg->get_entropy_fn(params, out, drbg->callback_arg))
return out->return_size;
ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_ENTROPY);
return 0;
}
#ifdef FIPS_MODULE
if (drbg->parent == NULL)
return prov_crngt_get_entropy(drbg, pout, entropy, min_len, max_len,
@ -349,8 +315,6 @@ static size_t prov_drbg_get_nonce(PROV_DRBG *drbg,
PROV_DRBG_NONCE_GLOBAL *dngbl
= openssl_ctx_get_data(libctx, OPENSSL_CTX_DRBG_NONCE_INDEX,
&drbg_nonce_ossl_ctx_method);
OSSL_PARAM params[5], *p = params;
OSSL_PARAM out[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
struct {
void *instance;
int count;
@ -359,22 +323,6 @@ static size_t prov_drbg_get_nonce(PROV_DRBG *drbg,
if (dngbl == NULL)
return 0;
if (drbg->get_nonce_fn != NULL) {
*p++ = OSSL_PARAM_construct_int(OSSL_DRBG_PARAM_ENTROPY_REQUIRED,
&entropy);
*p++ = OSSL_PARAM_construct_size_t(OSSL_DRBG_PARAM_MIN_LENGTH,
&min_len);
*p++ = OSSL_PARAM_construct_size_t(OSSL_DRBG_PARAM_MAX_LENGTH,
&max_len);
*p = OSSL_PARAM_construct_end();
*out = OSSL_PARAM_construct_octet_ptr(OSSL_DRBG_PARAM_RANDOM_DATA,
(void **)pout, 0);
if (drbg->get_nonce_fn(params, out, drbg->callback_arg))
return out->return_size;
ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_NONCE);
return 0;
}
if (drbg->parent != NULL) {
if (drbg->parent_nonce != NULL) {
n = drbg->parent_nonce(drbg->parent, NULL, 0, drbg->min_noncelen,
@ -420,21 +368,7 @@ static size_t prov_drbg_get_nonce(PROV_DRBG *drbg,
static void prov_drbg_clear_nonce(PROV_DRBG *drbg, unsigned char *nonce,
size_t noncelen)
{
OSSL_PARAM params[3], *p = params;
if (drbg->get_nonce_fn != NULL) {
if (drbg->cleanup_nonce_fn != NULL) {
*p++ = OSSL_PARAM_construct_size_t(OSSL_DRBG_PARAM_SIZE,
&noncelen);
*p++ = OSSL_PARAM_construct_octet_ptr(OSSL_DRBG_PARAM_RANDOM_DATA,
(void **)&nonce, 0);
*p = OSSL_PARAM_construct_end();
drbg->cleanup_nonce_fn(params, drbg->callback_arg);
}
} else {
OPENSSL_clear_free(nonce, noncelen);
}
OPENSSL_clear_free(nonce, noncelen);
}
#else
# define prov_drbg_clear_nonce(drbg, nonce, len) \
@ -1015,22 +949,3 @@ int drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[])
return 0;
return 1;
}
int drbg_set_callbacks(void *vctx, OSSL_INOUT_CALLBACK *get_entropy_fn,
OSSL_CALLBACK *cleanup_entropy_fn,
OSSL_INOUT_CALLBACK *get_nonce_fn,
OSSL_CALLBACK *cleanup_nonce_fn, void *arg)
{
PROV_DRBG *drbg = vctx;
if (drbg->state != EVP_RAND_STATE_UNINITIALISED
|| drbg->parent != NULL)
return 0;
drbg->get_entropy_fn = get_entropy_fn;
drbg->cleanup_entropy_fn = cleanup_entropy_fn;
drbg->get_nonce_fn = get_nonce_fn;
drbg->cleanup_nonce_fn = cleanup_nonce_fn;
drbg->callback_arg = arg;
return 1;
}

1
providers/implementations/rands/drbg_ctr.c
View File

@ -738,7 +738,6 @@ const OSSL_DISPATCH drbg_ctr_functions[] = {
{ OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
(void(*)(void))drbg_ctr_gettable_ctx_params },
{ OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_ctr_get_ctx_params },
{ OSSL_FUNC_RAND_SET_CALLBACKS, (void(*)(void))drbg_set_callbacks },
{ OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
(void(*)(void))drbg_ctr_verify_zeroization },
{ 0, NULL }

1
providers/implementations/rands/drbg_hash.c
View File

@ -505,7 +505,6 @@ const OSSL_DISPATCH drbg_hash_functions[] = {
{ OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
(void(*)(void))drbg_hash_gettable_ctx_params },
{ OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_hash_get_ctx_params },
{ OSSL_FUNC_RAND_SET_CALLBACKS, (void(*)(void))drbg_set_callbacks },
{ OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
(void(*)(void))drbg_hash_verify_zeroization },
{ 0, NULL }

1
providers/implementations/rands/drbg_hmac.c
View File

@ -408,7 +408,6 @@ const OSSL_DISPATCH drbg_hmac_functions[] = {
{ OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
(void(*)(void))drbg_hmac_gettable_ctx_params },
{ OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_hmac_get_ctx_params },
{ OSSL_FUNC_RAND_SET_CALLBACKS, (void(*)(void))drbg_set_callbacks },
{ OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
(void(*)(void))drbg_hmac_verify_zeroization },
{ 0, NULL }

9
providers/implementations/rands/drbg_local.h
View File

@ -219,15 +219,6 @@ int PROV_DRBG_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
unsigned int strength, int prediction_resistance,
const unsigned char *adin, size_t adinlen);
/*
* Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
* These need to be exposed for the unit tests.
*/
int drbg_set_callbacks(void *vctx, OSSL_INOUT_CALLBACK *get_entropy_fn,
OSSL_CALLBACK *cleanup_entropy_fn,
OSSL_INOUT_CALLBACK *get_nonce_fn,
OSSL_CALLBACK *cleanup_nonce_fn, void *arg);
/* Verify that an array of numeric values is all zero */
#define PROV_DRBG_VERYIFY_ZEROIZATION(v) \
{ \

1
ssl/ssl_lib.c
View File

@ -18,7 +18,6 @@
#include <openssl/objects.h>
#include <openssl/x509v3.h>
#include <openssl/rand.h>
#include <openssl/rand_drbg.h>
#include <openssl/ocsp.h>
#include <openssl/dh.h>
#include <openssl/engine.h>

12
test/build.info
View File

@ -52,7 +52,7 @@ IF[{- !$disabled{tests} -}]
cipherbytes_test \
asn1_encode_test asn1_decode_test asn1_string_table_test \
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
recordlentest drbgtest drbg_cavs_test drbg_extra_test sslbuffertest \
recordlentest drbgtest sslbuffertest \
time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \
http_test servername_test ocspapitest fatalerrtest tls13ccstest \
sysdefaulttest errtest ssl_ctx_test gosttest \
@ -372,16 +372,6 @@ IF[{- !$disabled{tests} -}]
INCLUDE[drbgtest]=../include ../apps/include
DEPEND[drbgtest]=../libcrypto.a libtestutil.a
SOURCE[drbg_cavs_test]=drbg_cavs_test.c drbg_cavs_data_ctr.c \
drbg_cavs_data_hash.c drbg_cavs_data_hmac.c
INCLUDE[drbg_cavs_test]=../include ../apps/include . ..
DEPEND[drbg_cavs_test]=../libcrypto libtestutil.a
SOURCE[drbg_extra_test]=drbg_extra_test.c
INCLUDE[drbg_extra_test]=../include . .. ../apps/include
DEPEND[drbg_extra_test]=../libcrypto libtestutil.a
SOURCE[x509_dup_cert_test]=x509_dup_cert_test.c
INCLUDE[x509_dup_cert_test]=../include ../apps/include
DEPEND[x509_dup_cert_test]=../libcrypto libtestutil.a

7769
test/drbg_cavs_data_ctr.c
View File

File diff suppressed because it is too large Load Diff

8387
test/drbg_cavs_data_hash.c
View File

File diff suppressed because it is too large Load Diff

285
test/drbg_cavs_data_hmac.c
View File

@ -1,285 +0,0 @@
/*
* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/*
* Small subset of DRBG test vectors from:
* https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/
* The index in the names given below (e.g- kat1680)- refers to the CAVS index.
*/
#include <openssl/obj_mac.h>
#include "internal/nelem.h"
#include "drbg_cavs_data.h"
static const unsigned char kat1_nor_entropyin[] = {
0xe9, 0x1b, 0x63, 0x30, 0x9e, 0x93, 0xd1, 0xd0, 0x8e, 0x30, 0xe8, 0xd5,
0x56, 0x90, 0x68, 0x75,
};
static const unsigned char kat1_nor_nonce[] = {
0xf5, 0x97, 0x47, 0xc4, 0x68, 0xb0, 0xd0, 0xda,
};
static const unsigned char kat1_nor_persstr[] = {0};
static const unsigned char kat1_nor_addin0[] = {0};
static const unsigned char kat1_nor_addin1[] = {0};
static const unsigned char kat1_nor_retbytes[] = {
0xb7, 0x92, 0x8f, 0x95, 0x03, 0xa4, 0x17, 0x11, 0x07, 0x88, 0xf9, 0xd0,
0xc2, 0x58, 0x5f, 0x8a, 0xee, 0x6f, 0xb7, 0x3b, 0x22, 0x0a, 0x62, 0x6b,
0x3a, 0xb9, 0x82, 0x5b, 0x7a, 0x9f, 0xac, 0xc7, 0x97, 0x23, 0xd7, 0xe1,
0xba, 0x92, 0x55, 0xe4, 0x0e, 0x65, 0xc2, 0x49, 0xb6, 0x08, 0x2a, 0x7b,
0xc5, 0xe3, 0xf1, 0x29, 0xd3, 0xd8, 0xf6, 0x9b, 0x04, 0xed, 0x11, 0x83,
0x41, 0x9d, 0x6c, 0x4f, 0x2a, 0x13, 0xb3, 0x04, 0xd2, 0xc5, 0x74, 0x3f,
0x41, 0xc8, 0xb0, 0xee, 0x73, 0x22, 0x53, 0x47,
};
static const struct drbg_kat_no_reseed kat1_nor_t = {
0, kat1_nor_entropyin, kat1_nor_nonce, kat1_nor_persstr,
kat1_nor_addin0, kat1_nor_addin1, kat1_nor_retbytes
};
static const struct drbg_kat kat1_nor = {
NO_RESEED, USE_HMAC, NID_sha1, 16, 8, 0, 0, 80, &kat1_nor_t
};
static const unsigned char kat1680_nor_entropyin[] = {
0x68, 0xcf, 0x3f, 0x51, 0x8b, 0x47, 0x45, 0x45, 0x2a, 0x41, 0x49, 0xd2,
0x00, 0x43, 0x49, 0x60, 0xcb, 0xe1, 0x0b, 0xcb, 0x78, 0x3c, 0x3f, 0x89,
0xd3, 0xb8, 0x5f, 0x61, 0x87, 0x99, 0xf5, 0xcb,
};
static const unsigned char kat1680_nor_nonce[] = {
0xdc, 0x34, 0x5f, 0x21, 0xa3, 0x3c, 0x16, 0x8e, 0x4e, 0x07, 0x60, 0x31,
0x87, 0x59, 0x2f, 0x9c,
};
static const unsigned char kat1680_nor_persstr[] = {
0x2c, 0x26, 0xce, 0x79, 0xee, 0x85, 0xd0, 0xc9, 0xca, 0x4d, 0x1a, 0xbc,
0x6e, 0x0a, 0xc2, 0xad, 0xb2, 0x6c, 0xd2, 0x23, 0xdc, 0xb5, 0x13, 0x40,
0x3a, 0x53, 0x75, 0x5b, 0x64, 0x75, 0x98, 0xe3,
};
static const unsigned char kat1680_nor_addin0[] = {
0xac, 0xcf, 0xf5, 0x36, 0x08, 0x61, 0x6d, 0x90, 0x07, 0x19, 0x9e, 0x41,
0x39, 0x68, 0x46, 0xbe, 0x58, 0x00, 0xee, 0xa5, 0x5f, 0x73, 0xf6, 0x4a,
0x6d, 0x8c, 0x8f, 0x26, 0xb5, 0xba, 0xe0, 0x7d,
};
static const unsigned char kat1680_nor_addin1[] = {
0xd8, 0xd5, 0x25, 0x8b, 0xaf, 0xf4, 0x18, 0x50, 0xde, 0x1f, 0xeb, 0x5e,
0xcb, 0xbd, 0x17, 0x95, 0xcd, 0xf4, 0x53, 0x8a, 0x1c, 0x57, 0xf5, 0x5c,
0x9f, 0x58, 0x5f, 0xf0, 0x35, 0xa1, 0x3e, 0x55,
};
static const unsigned char kat1680_nor_retbytes[] = {
0x50, 0x32, 0xda, 0xa0, 0x34, 0x15, 0xb2, 0xb6, 0x78, 0x0e, 0xf4, 0xc6,
0xcf, 0xec, 0xfa, 0xcc, 0xef, 0xda, 0x71, 0x2f, 0x25, 0x29, 0xd2, 0xcd,
0xf4, 0xcb, 0x45, 0xd5, 0x22, 0x29, 0xe2, 0xb7, 0x38, 0x8e, 0xbc, 0xe9,
0x26, 0xa7, 0xaa, 0x05, 0xcc, 0x13, 0x2b, 0x34, 0x79, 0xe7, 0xb9, 0xc0,
0xb8, 0xb4, 0xcd, 0x02, 0x62, 0xf7, 0xb1, 0x8a, 0x58, 0x32, 0x6e, 0xab,
0x2b, 0xae, 0xb9, 0x1e, 0xd4, 0x81, 0x8b, 0xf2, 0x0a, 0x10, 0x59, 0x75,
0x34, 0x2b, 0xed, 0x6a, 0x97, 0xf2, 0xe6, 0x7c, 0x48, 0x3a, 0x40, 0x3f,
0x98, 0xa4, 0xa5, 0xdf, 0xee, 0x98, 0x13, 0x07, 0x41, 0xb9, 0x09, 0xf0,
0xc4, 0x81, 0x2c, 0x19, 0x17, 0x33, 0x4d, 0xdc, 0x5e, 0x67, 0x82, 0x56,
0xb7, 0x8c, 0x23, 0x76, 0x42, 0x17, 0x79, 0x8f, 0x25, 0xdb, 0x20, 0xd8,
0x0e, 0xa8, 0x5b, 0x69, 0xef, 0xd7, 0x58, 0x92,
};
static const struct drbg_kat_no_reseed kat1680_nor_t = {
14, kat1680_nor_entropyin, kat1680_nor_nonce, kat1680_nor_persstr,
kat1680_nor_addin0, kat1680_nor_addin1, kat1680_nor_retbytes
};
static const struct drbg_kat kat1680_nor = {
NO_RESEED, USE_HMAC, NID_sha512_256, 32, 16, 32, 32, 128, &kat1680_nor_t
};
/* -------------------------------------------------------------------------- */
static const unsigned char kat2_prt_entropyin[] = {
0x07, 0xbd, 0xda, 0xb0, 0x6c, 0xf3, 0xd7, 0xf0, 0x94, 0xcc, 0x23, 0x02,
0xab, 0xd7, 0x00, 0xa9,
};
static const unsigned char kat2_prt_nonce[] = {
0xd6, 0x74, 0x21, 0xae, 0xb7, 0x11, 0xf4, 0xbb,
};
static const unsigned char kat2_prt_persstr[] = {0};
static const unsigned char kat2_prt_entropyinpr0[] = {
0xe6, 0x6f, 0x59, 0xe2, 0x8a, 0x46, 0x79, 0x42, 0x13, 0xbf, 0x3d, 0x0c,
0x3a, 0x2c, 0xbb, 0xb0,
};
static const unsigned char kat2_prt_entropyinpr1[] = {
0x92, 0x05, 0xb9, 0x0e, 0x0e, 0xf2, 0x12, 0xc7, 0x67, 0x9b, 0x37, 0x52,
0x6a, 0x80, 0x67, 0x89,
};
static const unsigned char kat2_prt_addin0[] = {0};
static const unsigned char kat2_prt_addin1[] = {0};
static const unsigned char kat2_prt_retbytes[] = {
0xf7, 0x6f, 0xd2, 0xa4, 0x9d, 0x95, 0x74, 0xc3, 0xf9, 0x08, 0x64, 0xf3,
0x5f, 0x32, 0x25, 0x3b, 0x83, 0x09, 0x8e, 0xe0, 0x4a, 0x4c, 0x8d, 0xba,
0x46, 0x4a, 0x80, 0x35, 0xf6, 0x65, 0xca, 0x16, 0x5c, 0x8a, 0x03, 0x8b,
0xe5, 0xe1, 0xb1, 0x00, 0xd5, 0x67, 0x52, 0xad, 0xcf, 0x59, 0xbe, 0xa1,
0x67, 0xe1, 0x5b, 0x1d, 0x01, 0xc4, 0x19, 0x94, 0x8d, 0x2d, 0x0a, 0x85,
0xbe, 0x66, 0xd1, 0x9b, 0xb4, 0x0e, 0x5e, 0x0a, 0x66, 0xcf, 0xd7, 0x6b,
0xa7, 0x54, 0x7e, 0xba, 0x62, 0x76, 0xea, 0x49,
};
static const struct drbg_kat_pr_true kat2_prt_t = {
1, kat2_prt_entropyin, kat2_prt_nonce, kat2_prt_persstr,
kat2_prt_entropyinpr0, kat2_prt_addin0, kat2_prt_entropyinpr1,
kat2_prt_addin1, kat2_prt_retbytes
};
static const struct drbg_kat kat2_prt = {
PR_TRUE, USE_HMAC, NID_sha1, 16, 8, 0, 0, 80, &kat2_prt_t
};
static const unsigned char kat1680_prt_entropyin[] = {
0xfa, 0x18, 0xc7, 0x94, 0x9c, 0xd5, 0xbc, 0xbe, 0x49, 0xc9, 0x6f, 0x4d,
0x66, 0x70, 0xc8, 0x4f, 0x55, 0xae, 0xe0, 0x0f, 0x36, 0xa4, 0x6c, 0xbf,
0xaf, 0xbe, 0x54, 0xe6, 0x6b, 0x32, 0x64, 0x23,
};
static const unsigned char kat1680_prt_nonce[] = {
0xc6, 0xfd, 0xec, 0x42, 0x46, 0xbd, 0xa3, 0xe2, 0xb6, 0x9f, 0xf6, 0x02,
0x67, 0x5f, 0x7e, 0x6d,
};
static const unsigned char kat1680_prt_persstr[] = {
0x9b, 0x31, 0xee, 0xbb, 0xe8, 0xbc, 0x02, 0x3c, 0xb8, 0x19, 0x3c, 0xe5,
0xe1, 0x5a, 0x62, 0x9d, 0x29, 0x20, 0xa0, 0xc4, 0x91, 0x69, 0xd2, 0x98,
0x92, 0x4b, 0xdb, 0xa2, 0xeb, 0x3b, 0xcd, 0x46,
};
static const unsigned char kat1680_prt_entropyinpr0[] = {
0xd7, 0x84, 0x2e, 0x7a, 0xd0, 0xcb, 0xac, 0x6b, 0x94, 0x04, 0xe8, 0xe9,
0x42, 0xfa, 0xbb, 0x77, 0x97, 0x4b, 0x35, 0x3a, 0x7f, 0x96, 0x33, 0x88,
0x06, 0x95, 0xfb, 0xff, 0xcb, 0x4d, 0x32, 0x79,
};
static const unsigned char kat1680_prt_entropyinpr1[] = {
0x96, 0xa3, 0x0d, 0x85, 0x93, 0xcc, 0xe5, 0xfe, 0xbd, 0x4f, 0x03, 0x4f,
0xf9, 0x74, 0x79, 0xeb, 0x88, 0x08, 0xe8, 0x1b, 0xd7, 0xb8, 0xf7, 0xb4,
0x4a, 0xe9, 0x45, 0xfb, 0xbf, 0x50, 0x35, 0x72,
};
static const unsigned char kat1680_prt_addin0[] = {
0x2e, 0x08, 0x83, 0xa8, 0x80, 0x21, 0xb7, 0xca, 0x2e, 0x8b, 0xe9, 0xb7,
0xb2, 0x08, 0xee, 0xc4, 0x10, 0x78, 0x64, 0x60, 0x5f, 0x71, 0x85, 0x10,
0x32, 0x3d, 0x89, 0xc8, 0x14, 0x6c, 0xa8, 0x93,
};
static const unsigned char kat1680_prt_addin1[] = {
0x01, 0x55, 0xdc, 0x73, 0xa3, 0x6c, 0x16, 0x0d, 0x9e, 0x13, 0xc0, 0x23,
0xe7, 0x32, 0x79, 0x8b, 0x4f, 0xba, 0x3a, 0x9f, 0xd8, 0x49, 0xc0, 0xed,
0xf8, 0x99, 0x76, 0x5c, 0x5f, 0xf7, 0x34, 0x9f,
};
static const unsigned char kat1680_prt_retbytes[] = {
0xee, 0x19, 0x1d, 0xc6, 0xbe, 0xf0, 0x25, 0xe3, 0x63, 0x02, 0xbb, 0x8c,
0xe0, 0xe6, 0xa9, 0x49, 0xf7, 0xb0, 0xd2, 0x94, 0x4b, 0x24, 0x6f, 0xc5,
0x2d, 0x68, 0xa2, 0x0c, 0x3b, 0x2b, 0x78, 0x75, 0x95, 0xca, 0x9d, 0x4b,
0xae, 0x2f, 0x55, 0xa1, 0x39, 0x24, 0xfa, 0xbb, 0xef, 0x8f, 0x70, 0x0a,
0xbc, 0x09, 0xd7, 0xda, 0xc1, 0xc1, 0xeb, 0x3a, 0x63, 0xc0, 0x40, 0x86,
0x75, 0x19, 0xe6, 0x72, 0x4f, 0xae, 0xb5, 0x32, 0xd0, 0x1c, 0xd3, 0x89,
0x22, 0xe4, 0xe0, 0x97, 0x35, 0x66, 0xfc, 0x23, 0xf5, 0xfb, 0xc0, 0x67,
0xf4, 0x96, 0xcb, 0x97, 0xfe, 0x3c, 0xe9, 0x75, 0x64, 0xf0, 0x01, 0x0d,
0x6c, 0xd2, 0xb5, 0xd8, 0x1a, 0x3e, 0x79, 0xfc, 0xb8, 0x5f, 0x01, 0x01,
0x91, 0xa7, 0x6b, 0x4d, 0x79, 0x6e, 0xa8, 0xc8, 0x5b, 0x11, 0x9d, 0xd2,
0x42, 0x10, 0xf6, 0x47, 0x25, 0xc0, 0x96, 0x89,
};
static const struct drbg_kat_pr_true kat1680_prt_t = {
14, kat1680_prt_entropyin, kat1680_prt_nonce, kat1680_prt_persstr,
kat1680_prt_entropyinpr0, kat1680_prt_addin0, kat1680_prt_entropyinpr1,
kat1680_prt_addin1, kat1680_prt_retbytes
};
static const struct drbg_kat kat1680_prt = {
PR_TRUE, USE_HMAC, NID_sha512_256, 32, 16, 32, 32, 128, &kat1680_prt_t
};
/* -------------------------------------------------------------------------- */
static const unsigned char kat7_prf_entropyin[] = {
0xb3, 0xd4, 0x04, 0x12, 0x01, 0xf4, 0x34, 0x5e, 0x0a, 0x81, 0x8d, 0xe1,
0x36, 0xc6, 0xaa, 0x7e,
};
static const unsigned char kat7_prf_nonce[] = {
0x6b, 0x06, 0x12, 0xe1, 0xac, 0x6b, 0x3f, 0x2f,
};
static const unsigned char kat7_prf_persstr[] = {0};
static const unsigned char kat7_prf_entropyin_reseed[] = {
0x26, 0xf6, 0xec, 0x32, 0x8a, 0xc7, 0xf8, 0x96, 0x6d, 0xca, 0x90, 0xe1,
0x62, 0xc2, 0x97, 0xef,
};
static const unsigned char kat7_prf_addin_reseed[] = {0};
static const unsigned char kat7_prf_addin0[] = {0};
static const unsigned char kat7_prf_addin1[] = {0};
static const unsigned char kat7_prf_retbytes[] = {
0xd9, 0x24, 0x5a, 0x4a, 0x0a, 0xb0, 0xca, 0x97, 0xe7, 0x47, 0xc0, 0xd2,
0x90, 0x98, 0x97, 0x9e, 0x82, 0x48, 0xe5, 0x3f, 0x0e, 0xc6, 0xb9, 0x16,
0x78, 0x97, 0x2f, 0x3b, 0x56, 0x91, 0xe7, 0x99, 0x5a, 0xd2, 0xeb, 0x99,
0x64, 0x0d, 0x3e, 0x9a, 0x83, 0x64, 0x89, 0x1d, 0x0f, 0xf1, 0x79, 0x73,
0x2d, 0x63, 0x3f, 0x76, 0x2d, 0x65, 0x92, 0xa4, 0xd4, 0x9c, 0x4e, 0x66,
0x7c, 0x69, 0x9b, 0x26, 0x78, 0x92, 0x9c, 0x81, 0xd9, 0xbd, 0xfc, 0x74,
0xd6, 0x57, 0x5f, 0x5b, 0x72, 0x7f, 0x4d, 0x65,
};
static const struct drbg_kat_pr_false kat7_prf_t = {
6, kat7_prf_entropyin, kat7_prf_nonce, kat7_prf_persstr,
kat7_prf_entropyin_reseed, kat7_prf_addin_reseed,
kat7_prf_addin0, kat7_prf_addin1, kat7_prf_retbytes
};
static const struct drbg_kat kat7_prf = {
PR_FALSE, USE_HMAC, NID_sha1, 16, 8, 0, 0, 80, &kat7_prf_t
};
static const unsigned char kat1680_prf_entropyin[] = {
0x03, 0x8f, 0x2d, 0x21, 0x48, 0x1d, 0xe9, 0xf2, 0x28, 0x61, 0x68, 0xc8,
0x0d, 0xb5, 0x59, 0xb0, 0x37, 0xa3, 0x6a, 0x05, 0x91, 0xe3, 0xc2, 0x46,
0xa5, 0xe3, 0xa5, 0x5d, 0x0e, 0x39, 0x2b, 0x35,
};
static const unsigned char kat1680_prf_nonce[] = {
0x86, 0x95, 0x63, 0x4d, 0xb6, 0xfc, 0x1c, 0x67, 0x29, 0x9f, 0xd5, 0x55,
0x3b, 0x19, 0xc5, 0x4d,
};
static const unsigned char kat1680_prf_persstr[] = {
0x01, 0x35, 0x28, 0x7e, 0xfe, 0x2f, 0x40, 0xa9, 0xcf, 0x2a, 0xdc, 0x97,
0xa5, 0x58, 0x20, 0xbb, 0xb9, 0xf9, 0x49, 0x8b, 0xc5, 0x12, 0x70, 0x7c,
0x5a, 0xc9, 0xc7, 0x21, 0x89, 0x37, 0x57, 0xbf,
};
static const unsigned char kat1680_prf_entropyin_reseed[] = {
0x7d, 0x20, 0xf5, 0xdd, 0x7e, 0xba, 0x0d, 0x2d, 0xd1, 0x88, 0x2f, 0xd2,
0xdd, 0x98, 0x72, 0x80, 0xf3, 0xd9, 0x50, 0x2a, 0x62, 0x4d, 0xff, 0x55,
0x26, 0x7d, 0x59, 0x6d, 0x4a, 0xb0, 0x21, 0xc9,
};
static const unsigned char kat1680_prf_addin_reseed[] = {
0x7e, 0x78, 0x8d, 0x4f, 0xba, 0xb8, 0x92, 0xa6, 0x67, 0xc1, 0x52, 0xf2,
0x90, 0x6c, 0x4b, 0xd7, 0xc4, 0xa6, 0x29, 0x5f, 0x11, 0x5b, 0xb6, 0xf6,
0x5d, 0x80, 0x88, 0xfd, 0xff, 0xc8, 0xb5, 0xe5,
};
static const unsigned char kat1680_prf_addin0[] = {
0xb7, 0x5e, 0x30, 0x58, 0x84, 0x81, 0x60, 0xfd, 0x30, 0xe7, 0xd0, 0x4a,
0x72, 0xba, 0x5b, 0x37, 0x6f, 0xad, 0xf2, 0x66, 0xdb, 0x66, 0x6a, 0x95,
0xed, 0xaa, 0xab, 0x56, 0x52, 0x51, 0x1e, 0xb9,
};
static const unsigned char kat1680_prf_addin1[] = {
0x69, 0x73, 0xe0, 0x5c, 0xea, 0xb5, 0x31, 0x0b, 0x91, 0x21, 0xe1, 0xde,
0x19, 0x94, 0x84, 0xdf, 0x58, 0xfc, 0x4b, 0x26, 0x42, 0x9d, 0xdf, 0x44,
0x65, 0xcd, 0xe7, 0xf7, 0xd6, 0xea, 0x35, 0x54,
};
static const unsigned char kat1680_prf_retbytes[] = {
0x13, 0x44, 0x5b, 0x39, 0xab, 0x89, 0x3b, 0x31, 0x9c, 0xb0, 0xc4, 0x22,
0x50, 0x8d, 0x3f, 0x4d, 0x03, 0x26, 0x40, 0x16, 0xf9, 0xf6, 0x91, 0xb9,
0x16, 0x97, 0xb6, 0x37, 0xc4, 0xea, 0x25, 0x1c, 0x71, 0xec, 0x4c, 0xa3,
0x55, 0x70, 0xd1, 0x07, 0x24, 0xa3, 0xf9, 0x19, 0xe0, 0x42, 0xdc, 0xe3,
0x5f, 0x50, 0xfc, 0x10, 0x86, 0x6f, 0x7c, 0x9d, 0xf8, 0x8a, 0xb3, 0x7e,
0xa3, 0xbc, 0x25, 0xd2, 0x86, 0xfa, 0xe1, 0x55, 0x7f, 0xd9, 0x30, 0xed,
0x74, 0x7c, 0xdf, 0x24, 0x6b, 0xc7, 0xa3, 0xb2, 0xd6, 0xc9, 0x5d, 0x1f,
0x77, 0x17, 0xbb, 0xe4, 0x22, 0xd7, 0x10, 0x35, 0x6a, 0xf8, 0xab, 0x7d,
0xf7, 0xcd, 0x72, 0x4d, 0x02, 0x2f, 0xe5, 0xf8, 0xf2, 0xd8, 0x4d, 0x6f,
0x2b, 0x27, 0x0d, 0x70, 0xb1, 0x6a, 0xf1, 0x4b, 0x3c, 0xcb, 0x4d, 0x52,
0xfd, 0x58, 0x7c, 0x59, 0x8f, 0x00, 0x95, 0x1e,
};
static const struct drbg_kat_pr_false kat1680_prf_t = {
14, kat1680_prf_entropyin, kat1680_prf_nonce, kat1680_prf_persstr,
kat1680_prf_entropyin_reseed, kat1680_prf_addin_reseed,
kat1680_prf_addin0, kat1680_prf_addin1, kat1680_prf_retbytes
};
static const struct drbg_kat kat1680_prf = {
PR_FALSE, USE_HMAC, NID_sha512_256, 32, 16, 32, 32, 128, &kat1680_prf_t
};
/* -------------------------------------------------------------------------- */
const struct drbg_kat *drbg_hmac_test[] = {
&kat1_nor, &kat1680_nor,
&kat2_prt, &kat1680_prt,
&kat7_prf, &kat1680_prf
};
const size_t drbg_hmac_nelem = OSSL_NELEM(drbg_hmac_test);

308
test/drbg_cavs_test.c
View File

@ -1,308 +0,0 @@
/*
* Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <string.h>
#include "internal/nelem.h"
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/obj_mac.h>
#include <openssl/evp.h>
#include <openssl/aes.h>
#include "../crypto/rand/rand_local.h"
#include "testutil.h"
#include "drbg_cavs_data.h"
static int app_data_index;
typedef struct test_ctx_st {
const unsigned char *entropy;
size_t entropylen;
int entropycnt;
const unsigned char *nonce;
size_t noncelen;
int noncecnt;
} TEST_CTX;
static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
int entropy, size_t min_len, size_t max_len,
int prediction_resistance)
{
TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
t->entropycnt++;
*pout = (unsigned char *)t->entropy;
return t->entropylen;
}
static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
int entropy, size_t min_len, size_t max_len)
{
TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
t->noncecnt++;
*pout = (unsigned char *)t->nonce;
return t->noncelen;
}
/*
* Do a single NO_RESEED KAT:
*
* Instantiate
* Generate Random Bits (pr=false)
* Generate Random Bits (pr=false)
* Uninstantiate
*
* Return 0 on failure.
*/
static int single_kat_no_reseed(const struct drbg_kat *td)
{
struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t;
RAND_DRBG *drbg = NULL;
unsigned char *buff = NULL;
unsigned int flags = 0;
int failures = 0;
TEST_CTX t;
if ((td->flags & USE_DF) == 0)
flags |= RAND_DRBG_FLAG_CTR_NO_DF;
if ((td->flags & USE_HMAC) != 0)
flags |= RAND_DRBG_FLAG_HMAC;
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, flags, NULL)))
return 0;
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
kat_nonce, NULL))) {
failures++;
goto err;
}
memset(&t, 0, sizeof(t));
t.entropy = data->entropyin;
t.entropylen = td->entropyinlen;
t.nonce = data->nonce;
t.noncelen = td->noncelen;
RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
buff = OPENSSL_malloc(td->retbyteslen);
if (buff == NULL)
goto err;
if (!TEST_true(RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
data->addin1, td->addinlen))
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
data->addin2, td->addinlen))
|| !TEST_true(RAND_DRBG_uninstantiate(drbg))
|| !TEST_mem_eq(data->retbytes, td->retbyteslen, buff,
td->retbyteslen))
failures++;
err:
OPENSSL_free(buff);
RAND_DRBG_uninstantiate(drbg);
RAND_DRBG_free(drbg);
return failures == 0;
}
/*-
* Do a single PR_FALSE KAT:
*
* Instantiate
* Reseed
* Generate Random Bits (pr=false)
* Generate Random Bits (pr=false)
* Uninstantiate
*
* Return 0 on failure.
*/
static int single_kat_pr_false(const struct drbg_kat *td)
{
struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
RAND_DRBG *drbg = NULL;
unsigned char *buff = NULL;
unsigned int flags = 0;
int failures = 0;
TEST_CTX t;
if ((td->flags & USE_DF) == 0)
flags |= RAND_DRBG_FLAG_CTR_NO_DF;
if ((td->flags & USE_HMAC) != 0)
flags |= RAND_DRBG_FLAG_HMAC;
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, flags, NULL)))
return 0;
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
kat_nonce, NULL))) {
failures++;
goto err;
}
memset(&t, 0, sizeof(t));
t.entropy = data->entropyin;
t.entropylen = td->entropyinlen;
t.nonce = data->nonce;
t.noncelen = td->noncelen;
RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
buff = OPENSSL_malloc(td->retbyteslen);
if (buff == NULL)
goto err;
if (!TEST_true(RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)))
failures++;
t.entropy = data->entropyinreseed;
t.entropylen = td->entropyinlen;
if (!TEST_true(RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0))
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
data->addin1, td->addinlen))
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
data->addin2, td->addinlen))
|| !TEST_true(RAND_DRBG_uninstantiate(drbg))
|| !TEST_mem_eq(data->retbytes, td->retbyteslen, buff,
td->retbyteslen))
failures++;
err:
OPENSSL_free(buff);
RAND_DRBG_uninstantiate(drbg);
RAND_DRBG_free(drbg);
return failures == 0;
}
/*-
* Do a single PR_TRUE KAT:
*
* Instantiate
* Generate Random Bits (pr=true)
* Generate Random Bits (pr=true)
* Uninstantiate
*
* Return 0 on failure.
*/
static int single_kat_pr_true(const struct drbg_kat *td)
{
struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t;
RAND_DRBG *drbg = NULL;
unsigned char *buff = NULL;
unsigned int flags = 0;
int failures = 0;
TEST_CTX t;
if ((td->flags & USE_DF) == 0)
flags |= RAND_DRBG_FLAG_CTR_NO_DF;
if ((td->flags & USE_HMAC) != 0)
flags |= RAND_DRBG_FLAG_HMAC;
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, flags, NULL)))
return 0;
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
kat_nonce, NULL))) {
failures++;
goto err;
}
memset(&t, 0, sizeof(t));
t.nonce = data->nonce;
t.noncelen = td->noncelen;
t.entropy = data->entropyin;
t.entropylen = td->entropyinlen;
RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
buff = OPENSSL_malloc(td->retbyteslen);
if (buff == NULL)
goto err;
if (!TEST_true(RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)))
failures++;
t.entropy = data->entropyinpr1;
t.entropylen = td->entropyinlen;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
data->addin1, td->addinlen)))
failures++;
t.entropy = data->entropyinpr2;
t.entropylen = td->entropyinlen;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
data->addin2, td->addinlen))
|| !TEST_true(RAND_DRBG_uninstantiate(drbg))
|| !TEST_mem_eq(data->retbytes, td->retbyteslen, buff,
td->retbyteslen))
failures++;
err:
OPENSSL_free(buff);
RAND_DRBG_uninstantiate(drbg);
RAND_DRBG_free(drbg);
return failures == 0;
}
static int test_cavs_kats(const struct drbg_kat *test[], int i)
{
const struct drbg_kat *td = test[i];
int rv = 0;
#ifdef FIPS_MODULE
/* FIPS mode doesn't support instantiating without a derivation function */
if ((td->flags & USE_DF) == 0)
return TEST_skip("instantiating without derivation function "
"is not supported in FIPS mode");
#endif
switch (td->type) {
case NO_RESEED:
if (!single_kat_no_reseed(td))
goto err;
break;
case PR_FALSE:
if (!single_kat_pr_false(td))
goto err;
break;
case PR_TRUE:
if (!single_kat_pr_true(td))
goto err;
break;
default: /* cant happen */
goto err;
}
rv = 1;
err:
return rv;
}
static int test_cavs_ctr(int i)
{
return test_cavs_kats(drbg_ctr_test, i);
}
static int test_cavs_hmac(int i)
{
return test_cavs_kats(drbg_hmac_test, i);
}
static int test_cavs_hash(int i)
{
return test_cavs_kats(drbg_hash_test, i);
}
int setup_tests(void)
{
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
ADD_ALL_TESTS(test_cavs_ctr, drbg_ctr_nelem);
ADD_ALL_TESTS(test_cavs_hmac, drbg_hmac_nelem);
ADD_ALL_TESTS(test_cavs_hash, drbg_hash_nelem);
return 1;
}

92
test/drbg_extra_test.c
View File

@ -1,92 +0,0 @@
/*
* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <string.h>
#include "internal/nelem.h"
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/obj_mac.h>
#include <openssl/evp.h>
#include <openssl/aes.h>
#include "../crypto/rand/rand_local.h"
#include "testutil.h"
#include "drbg_extra_test.h"
static unsigned char zerobuff[32];
static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
int entropy, size_t min_len, size_t max_len,
int prediction_resistance)
{
*pout = zerobuff;
return sizeof(zerobuff);
}
static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
int entropy, size_t min_len, size_t max_len)
{
*pout = zerobuff;
return sizeof(zerobuff);
}
static int run_extra_kat(const struct drbg_extra_kat *td)
{
unsigned long long i;
RAND_DRBG *drbg = NULL;
unsigned char buff[BUFFSIZE];
unsigned int flags = 0;
int failures = 0;
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, flags, NULL)))
return 0;
/* Set deterministic entropy callback. */
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
kat_nonce, NULL))) {
failures++;
goto err;
}
/* Set fixed reseed intervall. */
if (!TEST_true(RAND_DRBG_set_reseed_interval(drbg, RESEEDINTERVAL))) {
failures++;
goto err;
}
if (!TEST_true(RAND_DRBG_instantiate(drbg, NULL, 0)))
failures++;
for (i = 0; i < td->ngen; i++) {
if(!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL,
0)))
failures++;
}
if (!TEST_true(RAND_DRBG_uninstantiate(drbg))
|| !TEST_mem_eq(td->expected, sizeof(buff), buff, sizeof(buff)))
failures++;
err:
RAND_DRBG_uninstantiate(drbg);
RAND_DRBG_free(drbg);
return failures == 0;
}
static int test_extra_kats(int i)
{
return run_extra_kat(drbg_extra_test[i]);
}
int setup_tests(void)
{
ADD_ALL_TESTS(test_extra_kats, OSSL_NELEM(drbg_extra_test));
return 1;
}

848
test/drbgtest.c
View File

File diff suppressed because it is too large Load Diff

6
test/recipes/05-test_rand.t
View File

@ -9,11 +9,9 @@
use strict;
use warnings;
use OpenSSL::Test;
use OpenSSL::Test::Utils;
plan tests => 2;
plan tests => 1;
setup("test_rand");
ok(run(test(["drbgtest"])));
ok(run(test(["drbg_cavs_test"])));
# commented out due to long running time
#ok(run(test(["drbg_extra_test"])));

55
util/libcrypto.num
View File

@ -4198,17 +4198,17 @@ OSSL_STORE_LOADER_get0_engine 4287 3_0_0 EXIST::FUNCTION:
OPENSSL_fork_prepare 4288 3_0_0 EXIST:UNIX:FUNCTION:
OPENSSL_fork_parent 4289 3_0_0 EXIST:UNIX:FUNCTION:
OPENSSL_fork_child 4290 3_0_0 EXIST:UNIX:FUNCTION:
RAND_DRBG_instantiate 4292 3_0_0 EXIST::FUNCTION:
RAND_DRBG_uninstantiate 4293 3_0_0 EXIST::FUNCTION:
RAND_DRBG_set 4295 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0
RAND_DRBG_set_callbacks 4296 3_0_0 EXIST::FUNCTION:
RAND_DRBG_new 4297 3_0_0 EXIST::FUNCTION:
RAND_DRBG_set_reseed_interval 4298 3_0_0 EXIST::FUNCTION:
RAND_DRBG_free 4299 3_0_0 EXIST::FUNCTION:
RAND_DRBG_generate 4300 3_0_0 EXIST::FUNCTION:
RAND_DRBG_reseed 4301 3_0_0 EXIST::FUNCTION:
RAND_DRBG_set_ex_data 4302 3_0_0 EXIST::FUNCTION:
RAND_DRBG_get_ex_data 4303 3_0_0 EXIST::FUNCTION:
RAND_DRBG_instantiate 4292 3_0_0 NOEXIST::FUNCTION:
RAND_DRBG_uninstantiate 4293 3_0_0 NOEXIST::FUNCTION:
RAND_DRBG_set 4295 3_0_0 NOEXIST::FUNCTION:DEPRECATEDIN_3_0
RAND_DRBG_set_callbacks 4296 3_0_0 NOEXIST::FUNCTION:
RAND_DRBG_new 4297 3_0_0 NOEXIST::FUNCTION:
RAND_DRBG_set_reseed_interval 4298 3_0_0 NOEXIST::FUNCTION:
RAND_DRBG_free 4299 3_0_0 NOEXIST::FUNCTION:
RAND_DRBG_generate 4300 3_0_0 NOEXIST::FUNCTION:
RAND_DRBG_reseed 4301 3_0_0 NOEXIST::FUNCTION:
RAND_DRBG_set_ex_data 4302 3_0_0 NOEXIST::FUNCTION:
RAND_DRBG_get_ex_data 4303 3_0_0 NOEXIST::FUNCTION:
EVP_sha3_224 4304 3_0_0 EXIST::FUNCTION:
EVP_sha3_256 4305 3_0_0 EXIST::FUNCTION:
EVP_sha3_384 4306 3_0_0 EXIST::FUNCTION:
@ -4223,7 +4223,7 @@ SCRYPT_PARAMS_it 4314 3_0_0 EXIST::FUNCTION:SCRYPT
CRYPTO_secure_clear_free 4315 3_0_0 EXIST::FUNCTION:
EVP_PKEY_meth_get0 4316 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0
EVP_PKEY_meth_get_count 4317 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0
RAND_DRBG_get0_public 4319 3_0_0 EXIST::FUNCTION:
RAND_DRBG_get0_public 4319 3_0_0 NOEXIST::FUNCTION:
RAND_priv_bytes 4320 3_0_0 EXIST::FUNCTION:
BN_priv_rand 4321 3_0_0 EXIST::FUNCTION:
BN_priv_rand_range 4322 3_0_0 EXIST::FUNCTION:
@ -4233,7 +4233,7 @@ ASN1_TIME_compare 4325 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_ctrl_uint64 4326 3_0_0 EXIST::FUNCTION:
EVP_DigestFinalXOF 4327 3_0_0 EXIST::FUNCTION:
ERR_clear_last_mark 4328 3_0_0 EXIST::FUNCTION:
RAND_DRBG_get0_private 4329 3_0_0 EXIST::FUNCTION:
RAND_DRBG_get0_private 4329 3_0_0 NOEXIST::FUNCTION:
EVP_aria_192_ccm 4330 3_0_0 EXIST::FUNCTION:ARIA
EVP_aria_256_gcm 4331 3_0_0 EXIST::FUNCTION:ARIA
EVP_aria_256_ccm 4332 3_0_0 EXIST::FUNCTION:ARIA
@ -4281,8 +4281,8 @@ RSA_set0_multi_prime_params 4376 3_0_0 EXIST::FUNCTION:RSA
RSA_get_version 4377 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
RSA_meth_get_multi_prime_keygen 4378 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
RSA_meth_set_multi_prime_keygen 4379 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
RAND_DRBG_get0_master 4380 3_0_0 EXIST::FUNCTION:
RAND_DRBG_set_reseed_time_interval 4381 3_0_0 EXIST::FUNCTION:
RAND_DRBG_get0_master 4380 3_0_0 NOEXIST::FUNCTION:
RAND_DRBG_set_reseed_time_interval 4381 3_0_0 NOEXIST::FUNCTION:
PROFESSION_INFO_get0_addProfessionInfo 4382 3_0_0 EXIST::FUNCTION:
ADMISSION_SYNTAX_free 4383 3_0_0 EXIST::FUNCTION:
d2i_ADMISSION_SYNTAX 4384 3_0_0 EXIST::FUNCTION:
@ -4332,7 +4332,7 @@ ADMISSION_SYNTAX_new 4427 3_0_0 EXIST::FUNCTION:
EVP_sha512_256 4428 3_0_0 EXIST::FUNCTION:
EVP_sha512_224 4429 3_0_0 EXIST::FUNCTION:
OCSP_basic_sign_ctx 4430 3_0_0 EXIST::FUNCTION:OCSP
RAND_DRBG_bytes 4431 3_0_0 EXIST::FUNCTION:
RAND_DRBG_bytes 4431 3_0_0 NOEXIST::FUNCTION:
OSSL_STORE_vctrl 4433 3_0_0 EXIST::FUNCTION:
OSSL_STORE_SEARCH_by_alias 4434 3_0_0 EXIST::FUNCTION:
BIO_bind 4435 3_0_0 EXIST::FUNCTION:SOCK
@ -4352,13 +4352,13 @@ X509_get0_authority_key_id 4448 3_0_0 EXIST::FUNCTION:
OSSL_STORE_LOADER_set_find 4449 3_0_0 EXIST::FUNCTION:
OSSL_STORE_SEARCH_free 4450 3_0_0 EXIST::FUNCTION:
OSSL_STORE_SEARCH_get0_digest 4451 3_0_0 EXIST::FUNCTION:
RAND_DRBG_set_reseed_defaults 4452 3_0_0 EXIST::FUNCTION:
RAND_DRBG_set_reseed_defaults 4452 3_0_0 NOEXIST::FUNCTION:
EVP_PKEY_new_raw_private_key 4453 3_0_0 EXIST::FUNCTION:
EVP_PKEY_new_raw_public_key 4454 3_0_0 EXIST::FUNCTION:
EVP_PKEY_new_CMAC_key 4455 3_0_0 EXIST::FUNCTION:
EVP_PKEY_asn1_set_set_priv_key 4456 3_0_0 EXIST::FUNCTION:
EVP_PKEY_asn1_set_set_pub_key 4457 3_0_0 EXIST::FUNCTION:
RAND_DRBG_set_defaults 4458 3_0_0 EXIST::FUNCTION:
RAND_DRBG_set_defaults 4458 3_0_0 NOEXIST::FUNCTION:
conf_ssl_name_find 4469 3_0_0 EXIST::FUNCTION:
conf_ssl_get_cmd 4470 3_0_0 EXIST::FUNCTION:
conf_ssl_get 4471 3_0_0 EXIST::FUNCTION:
@ -4642,10 +4642,10 @@ OSSL_CMP_MSG_free ? 3_0_0 EXIST::FUNCTION:CMP
ERR_load_CMP_strings ? 3_0_0 EXIST::FUNCTION:CMP
EVP_MD_CTX_set_params ? 3_0_0 EXIST::FUNCTION:
EVP_MD_CTX_get_params ? 3_0_0 EXIST::FUNCTION:
RAND_DRBG_new_ex ? 3_0_0 EXIST::FUNCTION:
OPENSSL_CTX_get0_primary_drbg ? 3_0_0 EXIST::FUNCTION:
OPENSSL_CTX_get0_public_drbg ? 3_0_0 EXIST::FUNCTION:
OPENSSL_CTX_get0_private_drbg ? 3_0_0 EXIST::FUNCTION:
RAND_DRBG_new_ex ? 3_0_0 NOEXIST::FUNCTION:
OPENSSL_CTX_get0_primary_drbg ? 3_0_0 NOEXIST::FUNCTION:
OPENSSL_CTX_get0_public_drbg ? 3_0_0 NOEXIST::FUNCTION:
OPENSSL_CTX_get0_private_drbg ? 3_0_0 NOEXIST::FUNCTION:
BN_CTX_new_ex ? 3_0_0 EXIST::FUNCTION:
BN_CTX_secure_new_ex ? 3_0_0 EXIST::FUNCTION:
OPENSSL_thread_stop_ex ? 3_0_0 EXIST::FUNCTION:
@ -4923,8 +4923,8 @@ PKCS8_pkey_add1_attr_by_OBJ ? 3_0_0 EXIST::FUNCTION:
EVP_PKEY_private_check ? 3_0_0 EXIST::FUNCTION:
EVP_PKEY_pairwise_check ? 3_0_0 EXIST::FUNCTION:
ASN1_item_verify_ctx ? 3_0_0 EXIST::FUNCTION:
RAND_DRBG_set_callback_data ? 3_0_0 EXIST::FUNCTION:
RAND_DRBG_get_callback_data ? 3_0_0 EXIST::FUNCTION:
RAND_DRBG_set_callback_data ? 3_0_0 NOEXIST::FUNCTION:
RAND_DRBG_get_callback_data ? 3_0_0 NOEXIST::FUNCTION:
BIO_socket_wait ? 3_0_0 EXIST::FUNCTION:SOCK
BIO_wait ? 3_0_0 EXIST::FUNCTION:
BIO_do_connect_retry ? 3_0_0 EXIST::FUNCTION:
@ -5106,12 +5106,12 @@ EVP_RAND_uninstantiate ? 3_0_0 EXIST::FUNCTION:
EVP_RAND_generate ? 3_0_0 EXIST::FUNCTION:
EVP_RAND_reseed ? 3_0_0 EXIST::FUNCTION:
EVP_RAND_nonce ? 3_0_0 EXIST::FUNCTION:
EVP_RAND_set_callbacks ? 3_0_0 EXIST::FUNCTION:
EVP_RAND_set_callbacks ? 3_0_0 NOEXIST::FUNCTION:
EVP_RAND_enable_locking ? 3_0_0 EXIST::FUNCTION:
EVP_RAND_verify_zeroization ? 3_0_0 EXIST::FUNCTION:
EVP_RAND_strength ? 3_0_0 EXIST::FUNCTION:
EVP_RAND_state ? 3_0_0 EXIST::FUNCTION:
RAND_DRBG_verify_zeroization ? 3_0_0 EXIST::FUNCTION:
RAND_DRBG_verify_zeroization ? 3_0_0 NOEXIST::FUNCTION:
EVP_default_properties_is_fips_enabled ? 3_0_0 EXIST::FUNCTION:
EVP_default_properties_enable_fips ? 3_0_0 EXIST::FUNCTION:
EVP_PKEY_new_raw_private_key_with_libctx ? 3_0_0 EXIST::FUNCTION:
@ -5197,6 +5197,9 @@ OSSL_DESERIALIZER_CTX_set_cleanup ? 3_0_0 EXIST::FUNCTION:
OSSL_DESERIALIZER_CTX_get_construct ? 3_0_0 EXIST::FUNCTION:
OSSL_DESERIALIZER_CTX_get_construct_data ? 3_0_0 EXIST::FUNCTION:
OSSL_DESERIALIZER_CTX_get_cleanup ? 3_0_0 EXIST::FUNCTION:
RAND_get0_primary ? 3_0_0 EXIST::FUNCTION:
RAND_get0_public ? 3_0_0 EXIST::FUNCTION:
RAND_get0_private ? 3_0_0 EXIST::FUNCTION:
PKCS12_SAFEBAG_get0_bag_obj ? 3_0_0 EXIST::FUNCTION:
PKCS12_SAFEBAG_get0_bag_type ? 3_0_0 EXIST::FUNCTION:
PKCS12_SAFEBAG_create_secret ? 3_0_0 EXIST::FUNCTION: