mirror of
https://github.com/openssl/openssl.git
synced 2024-12-03 05:41:46 +08:00
7d615e2178
The RAND_DRBG API did not fit well into the new provider concept as implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the RAND_DRBG API is a mixture of 'front end' and 'back end' API calls and some of its API calls are rather low-level. This holds in particular for the callback mechanism (RAND_DRBG_set_callbacks()) and the RAND_DRBG type changing mechanism (RAND_DRBG_set()). Adding a compatibility layer to continue supporting the RAND_DRBG API as a legacy API for a regular deprecation period turned out to come at the price of complicating the new provider API unnecessarily. Since the RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC to drop it entirely. Other related changes: Use RNG instead of DRBG in EVP_RAND documentation. The documentation was using DRBG in places where it should have been RNG or CSRNG. Move the RAND_DRBG(7) documentation to EVP_RAND(7). Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/12509)
370 lines
14 KiB
Plaintext
370 lines
14 KiB
Plaintext
=pod
|
|
|
|
=head1 NAME
|
|
|
|
EVP_RAND, EVP_RAND_fetch, EVP_RAND_free, EVP_RAND_up_ref, EVP_RAND_CTX,
|
|
EVP_RAND_CTX_new, EVP_RAND_CTX_free, EVP_RAND_instantiate,
|
|
EVP_RAND_uninstantiate, EVP_RAND_generate, EVP_RAND_reseed,
|
|
EVP_RAND_nonce, EVP_RAND_enable_locking,
|
|
EVP_RAND_verify_zeroization, EVP_RAND_strength, EVP_RAND_state,
|
|
EVP_RAND_provider, EVP_RAND_CTX_rand, EVP_RAND_is_a, EVP_RAND_number,
|
|
EVP_RAND_name, EVP_RAND_names_do_all, EVP_RAND_get_ctx_params,
|
|
EVP_RAND_set_ctx_params, EVP_RAND_do_all_provided, EVP_RAND_get_params,
|
|
EVP_RAND_gettable_ctx_params, EVP_RAND_settable_ctx_params,
|
|
EVP_RAND_gettable_params, EVP_RAND_STATE_UNINITIALISED, EVP_RAND_STATE_READY,
|
|
EVP_RAND_STATE_ERROR - EVP RAND routines
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
#include <openssl/evp.h>
|
|
|
|
typedef struct evp_rand_st EVP_RAND;
|
|
typedef struct evp_rand_ctx_st EVP_RAND_CTX;
|
|
|
|
EVP_RAND *EVP_RAND_fetch(OPENSSL_CTX *libctx, const char *algorithm,
|
|
const char *properties);
|
|
int EVP_RAND_up_ref(EVP_RAND *rand);
|
|
void EVP_RAND_free(EVP_RAND *rand);
|
|
EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, EVP_RAND_CTX *parent);
|
|
void EVP_RAND_CTX_free(EVP_RAND_CTX *ctx);
|
|
EVP_RAND *EVP_RAND_CTX_rand(EVP_RAND_CTX *ctx);
|
|
int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]);
|
|
int EVP_RAND_get_ctx_params(EVP_RAND_CTX *ctx, OSSL_PARAM params[]);
|
|
int EVP_RAND_set_ctx_params(EVP_RAND_CTX *ctx, const OSSL_PARAM params[]);
|
|
const OSSL_PARAM *EVP_RAND_gettable_params(const EVP_RAND *rand);
|
|
const OSSL_PARAM *EVP_RAND_gettable_ctx_params(const EVP_RAND *rand);
|
|
const OSSL_PARAM *EVP_RAND_settable_ctx_params(const EVP_RAND *rand);
|
|
int EVP_RAND_number(const EVP_RAND *rand);
|
|
const char *EVP_RAND_name(const EVP_RAND *rand);
|
|
int EVP_RAND_is_a(const EVP_RAND *rand, const char *name);
|
|
const OSSL_PROVIDER *EVP_RAND_provider(const EVP_RAND *rand);
|
|
void EVP_RAND_do_all_provided(OPENSSL_CTX *libctx,
|
|
void (*fn)(EVP_RAND *rand, void *arg),
|
|
void *arg);
|
|
void EVP_RAND_names_do_all(const EVP_RAND *rand,
|
|
void (*fn)(const char *name, void *data),
|
|
void *data);
|
|
|
|
int EVP_RAND_instantiate(EVP_RAND_CTX *ctx, unsigned int strength,
|
|
int prediction_resistance,
|
|
const unsigned char *pstr, size_t pstr_len);
|
|
int EVP_RAND_uninstantiate(EVP_RAND_CTX *ctx);
|
|
int EVP_RAND_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen,
|
|
unsigned int strength, int prediction_resistance,
|
|
const unsigned char *addin, size_t addin_len);
|
|
int EVP_RAND_reseed(EVP_RAND_CTX *ctx, int prediction_resistance,
|
|
const unsigned char *ent, size_t ent_len,
|
|
const unsigned char *addin, size_t addin_len);
|
|
int EVP_RAND_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen);
|
|
int EVP_RAND_enable_locking(EVP_RAND_CTX *ctx);
|
|
int EVP_RAND_verify_zeroization(EVP_RAND_CTX *ctx);
|
|
unsigned int EVP_RAND_strength(EVP_RAND_CTX *ctx);
|
|
int EVP_RAND_state(EVP_RAND_CTX *ctx);
|
|
|
|
#define EVP_RAND_STATE_UNINITIALISED 0
|
|
#define EVP_RAND_STATE_READY 1
|
|
#define EVP_RAND_STATE_ERROR 2
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
The EVP RAND routines are a high-level interface to random number generators
|
|
both deterministic and not.
|
|
If you just want to generate random bytes then you don't need to use
|
|
these functions: just call RAND_bytes() or RAND_priv_bytes().
|
|
If you want to do more, these calls should be used instead of the older
|
|
RAND and RAND_DRBG functions.
|
|
|
|
After creating a B<EVP_RAND_CTX> for the required algorithm using
|
|
EVP_RAND_CTX_new(), inputs to the algorithm are supplied
|
|
using calls to EVP_RAND_set_ctx_params() before
|
|
calling EVP_RAND_instantiate() and then EVP_RAND_generate() to produce
|
|
cryptographically secure random bytes.
|
|
|
|
=head2 Types
|
|
|
|
B<EVP_RAND> is a type that holds the implementation of a RAND.
|
|
|
|
B<EVP_RAND_CTX> is a context type that holds the algorithm inputs.
|
|
|
|
=head2 Algorithm implementation fetching
|
|
|
|
EVP_RAND_fetch() fetches an implementation of a RAND I<algorithm>, given
|
|
a library context I<libctx> and a set of I<properties>.
|
|
See L<provider(7)/Fetching algorithms> for further information.
|
|
|
|
The returned value must eventually be freed with
|
|
L<EVP_RAND_free(3)>.
|
|
|
|
EVP_RAND_up_ref() increments the reference count of an already fetched
|
|
RAND.
|
|
|
|
EVP_RAND_free() frees a fetched algorithm.
|
|
NULL is a valid parameter, for which this function is a no-op.
|
|
|
|
=head2 Context manipulation functions
|
|
|
|
EVP_RAND_CTX_new() creates a new context for the RAND implementation I<rand>.
|
|
If not NULL, I<parent> specifies the seed source for this implementation.
|
|
Not all random number generators need to have a seed source specified.
|
|
If a parent is required, a NULL I<parent> will utilise the operating
|
|
system entropy sources.
|
|
It is recommended to minimise the number of random number generators that
|
|
rely on the operating system for their randomness because this is often scarce.
|
|
|
|
EVP_RAND_CTX_free() frees up the context I<ctx>. If I<ctx> is NULL, nothing
|
|
is done.
|
|
|
|
EVP_RAND_CTX_rand() returns the B<EVP_RAND> associated with the context
|
|
I<ctx>.
|
|
|
|
=head2 Random Number Generator Functions
|
|
|
|
EVP_RAND_instantiate() instantiates the RAND I<ctx> with a minimum security
|
|
strength of <strength> and personalisation string I<pstr> of length <pstr_len>.
|
|
If I<prediction_resistance> is specified, fresh entropy from a live source
|
|
will be sought. This call operates as per NIST SP 800-90A and SP 800-90C.
|
|
|
|
EVP_RAND_uninstantiate() uninstantiates the RAND I<ctx> as per
|
|
NIST SP 800-90A and SP 800-90C. Subsequent to this call, the RAND cannot
|
|
be used to generate bytes. It can only be freed or instantiated again.
|
|
|
|
EVP_RAND_generate() produces random bytes from the RAND I<ctx> with the
|
|
additional input I<addin> of length I<addin_len>. The bytes
|
|
produced will meet the security I<strength>.
|
|
If I<prediction_resistance> is specified, fresh entropy from a live source
|
|
will be sought. This call operates as per NIST SP 800-90A and SP 800-90C.
|
|
|
|
EVP_RAND_reseed() reseeds the RAND with new entropy.
|
|
Entropy I<ent> of length I<ent_len> bytes can be supplied as can additional
|
|
input I<addin> of length I<addin_len> bytes. In the FIPS provider, both are
|
|
treated as additional input as per NIST SP-800-90Ar1, Sections 9.1 and 9.2.
|
|
Additional seed material is also drawn from the RAND's parent or the
|
|
operating system. If I<prediction_resistance> is specified, fresh entropy
|
|
from a live source will be sought. This call operates as per NIST SP 800-90A
|
|
and SP 800-90C.
|
|
|
|
EVP_RAND_nonce() creates a nonce in I<out> of maximum length I<outlen>
|
|
bytes from the RAND I<ctx>. The function returns the length of the generated
|
|
nonce. If I<out> is NULL, the length is still returned but no generation
|
|
takes place. This allows a caller to dynamically allocate a buffer of the
|
|
appropriate size.
|
|
|
|
EVP_RAND_enable_locking() enables locking for the RAND I<ctx> and all of
|
|
its parents. After this I<ctx> will operate in a thread safe manner, albeit
|
|
more slowly.
|
|
|
|
EVP_RAND_get_params() retrieves details about the implementation
|
|
I<rand>.
|
|
The set of parameters given with I<params> determine exactly what
|
|
parameters should be retrieved.
|
|
Note that a parameter that is unknown in the underlying context is
|
|
simply ignored.
|
|
|
|
EVP_RAND_get_ctx_params() retrieves chosen parameters, given the
|
|
context I<ctx> and its underlying context.
|
|
The set of parameters given with I<params> determine exactly what
|
|
parameters should be retrieved.
|
|
Note that a parameter that is unknown in the underlying context is
|
|
simply ignored.
|
|
|
|
EVP_RAND_set_ctx_params() passes chosen parameters to the underlying
|
|
context, given a context I<ctx>.
|
|
The set of parameters given with I<params> determine exactly what
|
|
parameters are passed down.
|
|
Note that a parameter that is unknown in the underlying context is
|
|
simply ignored.
|
|
Also, what happens when a needed parameter isn't passed down is
|
|
defined by the implementation.
|
|
|
|
EVP_RAND_gettable_params(), EVP_RAND_gettable_ctx_params() and
|
|
EVP_RAND_settable_ctx_params() get a constant B<OSSL_PARAM> array that
|
|
describes the retrievable and settable parameters, i.e. parameters that
|
|
can be used with EVP_RAND_get_params(), EVP_RAND_get_ctx_params()
|
|
and EVP_RAND_set_ctx_params(), respectively.
|
|
See L<OSSL_PARAM(3)> for the use of B<OSSL_PARAM> as parameter descriptor.
|
|
|
|
=head2 Information functions
|
|
|
|
EVP_RAND_strength() returns the security strength of the RAND I<ctx>.
|
|
|
|
EVP_RAND_state() returns the current state of the RAND I<ctx>.
|
|
States defined by the OpenSSL RNGs are:
|
|
|
|
=over 4
|
|
|
|
=item *
|
|
|
|
EVP_RAND_STATE_UNINITIALISED: this RNG is currently uninitialised.
|
|
The instantiate call will change this to the ready state.
|
|
|
|
=item *
|
|
|
|
EVP_RAND_STATE_READY: this RNG is currently ready to generate output.
|
|
|
|
=item *
|
|
|
|
EVP_RAND_STATE_ERROR: this RNG is in an error state.
|
|
|
|
=back
|
|
|
|
EVP_RAND_is_a() returns 1 if I<rand> is an implementation of an
|
|
algorithm that's identifiable with I<name>, otherwise 0.
|
|
|
|
EVP_RAND_provider() returns the provider that holds the implementation
|
|
of the given I<rand>.
|
|
|
|
EVP_RAND_do_all_provided() traverses all RAND implemented by all activated
|
|
providers in the given library context I<libctx>, and for each of the
|
|
implementations, calls the given function I<fn> with the implementation method
|
|
and the given I<arg> as argument.
|
|
|
|
EVP_RAND_number() returns the internal dynamic number assigned to
|
|
I<rand>.
|
|
|
|
EVP_RAND_name() returns the canonical name of I<rand>.
|
|
|
|
EVP_RAND_names_do_all() traverses all names for I<rand>, and calls
|
|
I<fn> with each name and I<data>.
|
|
|
|
EVP_RAND_verify_zeroization() confirms if the internal DRBG state is
|
|
currently zeroed. This is used by the FIPS provider to support the mandatory
|
|
self tests.
|
|
|
|
=head1 PARAMETERS
|
|
|
|
The standard parameter names are:
|
|
|
|
=over 4
|
|
|
|
=item "state" (B<OSSL_RAND_PARAM_STATE>) <integer>
|
|
|
|
Returns the state of the random number generator.
|
|
|
|
=item "strength" (B<OSSL_RAND_PARAM_STRENGTH>) <unsigned integer>
|
|
|
|
Returns the bit strength of the random number generator.
|
|
|
|
=back
|
|
|
|
For rands that are also deterministic random bit generators (DRBGs), these
|
|
additional parameters are recognised. Not all
|
|
parameters are relevant to, or are understood by all DRBG rands:
|
|
|
|
=over 4
|
|
|
|
=item "reseed_requests" (B<OSSL_DRBG_PARAM_RESEED_REQUESTS>) <unsigned integer>
|
|
|
|
Reads or set the number of generate requests before reseeding the
|
|
associated RAND ctx.
|
|
|
|
=item "reseed_time_interval" (B<OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL>) <integer>
|
|
|
|
Reads or set the number of elapsed seconds before reseeding the
|
|
associated RAND ctx.
|
|
|
|
=item "max_request" (B<OSSL_DRBG_PARAM_RESEED_REQUESTS>) <unsigned integer>
|
|
|
|
Specifies the maximum number of bytes that can be generated in a single
|
|
call to OSSL_FUNC_rand_generate.
|
|
|
|
=item "min_entropylen" (B<OSSL_DRBG_PARAM_MIN_ENTROPYLEN>) <unsigned integer>
|
|
|
|
=item "max_entropylen" (B<OSSL_DRBG_PARAM_MAX_ENTROPYLEN>) <unsigned integer>
|
|
|
|
Specify the minimum and maximum number of bytes of random material that
|
|
can be used to seed the DRBG.
|
|
|
|
=item "min_noncelen" (B<OSSL_DRBG_PARAM_MIN_NONCELEN>) <unsigned integer>
|
|
|
|
=item "max_noncelen" (B<OSSL_DRBG_PARAM_MAX_NONCELEN>) <unsigned integer>
|
|
|
|
Specify the minimum and maximum number of bytes of nonce that can be used to
|
|
seed the DRBG.
|
|
|
|
=item "max_perslen" (B<OSSL_DRBG_PARAM_MAX_PERSLEN>) <unsigned integer>
|
|
|
|
=item "max_adinlen" (B<OSSL_DRBG_PARAM_MAX_ADINLEN>) <unsigned integer>
|
|
|
|
Specify the minimum and maximum number of bytes of personalisation string
|
|
that can be used with the DRBG.
|
|
|
|
=item "reseed_counter" (B<OSSL_DRBG_PARAM_RESEED_CTR>) <unsigned integer>
|
|
|
|
Specifies the number of times the DRBG has been seeded or reseeded.
|
|
|
|
=item "properties" (B<OSSL_RAND_PARAM_PROPERTIES>) <UTF8 string>
|
|
|
|
=item "mac" (B<OSSL_RAND_PARAM_MAC>) <UTF8 string>
|
|
|
|
=item "digest" (B<OSSL_RAND_PARAM_DIGEST>) <UTF8 string>
|
|
|
|
=item "cipher" (B<OSSL_RAND_PARAM_CIPHER>) <UTF8 string>
|
|
|
|
For RAND implementations that use an underlying computation MAC, digest or
|
|
cipher, these parameters set what the algorithm should be.
|
|
|
|
The value is always the name of the intended algorithm,
|
|
or the properties in the case of B<OSSL_RAND_PARAM_PROPERTIES>.
|
|
|
|
=back
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
EVP_RAND_fetch() returns a pointer to a newly fetched B<EVP_RAND>, or
|
|
NULL if allocation failed.
|
|
|
|
EVP_RAND_provider() returns a pointer to the provider for the RAND, or
|
|
NULL on error.
|
|
|
|
EVP_RAND_CTX_rand() returns a pointer to the B<EVP_RAND> associated with the
|
|
context.
|
|
|
|
EVP_RAND_name() returns the name of the random number generation algorithm.
|
|
|
|
EVP_RAND_number() returns the provider specific identification number
|
|
for the specified algorithm.
|
|
|
|
EVP_RAND_up_ref() returns 1 on success, 0 on error.
|
|
|
|
EVP_RAND_CTX_new() returns either the newly allocated
|
|
B<EVP_RAND_CTX> structure or NULL if an error occurred.
|
|
|
|
EVP_RAND_CTX_free() does not return a value.
|
|
|
|
EVP_RAND_nonce() returns the length of the nonce.
|
|
|
|
EVP_RAND_strength() returns the strength of the random number generator in bits.
|
|
|
|
EVP_RAND_gettable_params(), EVP_RAND_gettable_ctx_params() and
|
|
EVP_RAND_settable_ctx_params() return an array of OSSL_PARAMs.
|
|
|
|
EVP_RAND_verify_zeroization() returns 1 if the internal DRBG state is
|
|
currently zeroed, and 0 if not.
|
|
|
|
The remaining functions return 1 for success and 0 or a negative value for
|
|
failure.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<RAND_bytes(3)>,
|
|
L<EVP_RAND-CTR-DRBG(7)>,
|
|
L<EVP_RAND-HASH-DRBG(7)>,
|
|
L<EVP_RAND-HMAC-DRBG(7)>,
|
|
L<EVP_RAND-TEST-RAND(7)>,
|
|
L<provider-rand(7)>
|
|
|
|
=head1 HISTORY
|
|
|
|
This functionality was added to OpenSSL 3.0.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|