• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1=pod
2
3=head1 NAME
4
5RAND_DRBG_set_callbacks,
6RAND_DRBG_get_entropy_fn,
7RAND_DRBG_cleanup_entropy_fn,
8RAND_DRBG_get_nonce_fn,
9RAND_DRBG_cleanup_nonce_fn
10- set callbacks for reseeding
11
12=head1 SYNOPSIS
13
14 #include <openssl/rand_drbg.h>
15
16
17 int RAND_DRBG_set_callbacks(RAND_DRBG *drbg,
18                             RAND_DRBG_get_entropy_fn get_entropy,
19                             RAND_DRBG_cleanup_entropy_fn cleanup_entropy,
20                             RAND_DRBG_get_nonce_fn get_nonce,
21                             RAND_DRBG_cleanup_nonce_fn cleanup_nonce);
22
23
24=head2 Callback Functions
25
26 typedef size_t (*RAND_DRBG_get_entropy_fn)(
27                       RAND_DRBG *drbg,
28                       unsigned char **pout,
29                       int entropy,
30                       size_t min_len, size_t max_len,
31                       int prediction_resistance);
32
33 typedef void (*RAND_DRBG_cleanup_entropy_fn)(
34                     RAND_DRBG *drbg,
35                     unsigned char *out, size_t outlen);
36
37 typedef size_t (*RAND_DRBG_get_nonce_fn)(
38                       RAND_DRBG *drbg,
39                       unsigned char **pout,
40                       int entropy,
41                       size_t min_len, size_t max_len);
42
43 typedef void (*RAND_DRBG_cleanup_nonce_fn)(
44                     RAND_DRBG *drbg,
45                     unsigned char *out, size_t outlen);
46
47
48
49=head1 DESCRIPTION
50
51RAND_DRBG_set_callbacks() sets the callbacks for obtaining fresh entropy and
52the nonce when reseeding the given B<drbg>.
53The callback functions are implemented and provided by the caller.
54Their parameter lists need to match the function prototypes above.
55
56Setting the callbacks is allowed only if the DRBG has not been initialized yet.
57Otherwise, the operation will fail.
58To change the settings for one of the three shared DRBGs it is necessary to call
59RAND_DRBG_uninstantiate() first.
60
61The B<get_entropy>() callback is called by the B<drbg> when it requests fresh
62random input.
63It is expected that the callback allocates and fills a random buffer of size
64B<min_len> <= size <= B<max_len> (in bytes) which contains at least B<entropy>
65bits of randomness.
66The B<prediction_resistance> flag indicates whether the reseeding was
67triggered by a prediction resistance request.
68
69The buffer's address is to be returned in *B<pout> and the number of collected
70randomness bytes as return value.
71
72If the callback fails to acquire at least B<entropy> bits of randomness,
73it must indicate an error by returning a buffer length of 0.
74
75If B<prediction_resistance> was requested and the random source of the DRBG
76does not satisfy the conditions requested by [NIST SP 800-90C], then
77it must also indicate an error by returning a buffer length of 0.
78See NOTES section for more details.
79
80The B<cleanup_entropy>() callback is called from the B<drbg> to clear and
81free the buffer allocated previously by get_entropy().
82The values B<out> and B<outlen> are the random buffer's address and length,
83as returned by the get_entropy() callback.
84
85The B<get_nonce>() and B<cleanup_nonce>() callbacks are used to obtain a nonce
86and free it again. A nonce is only required for instantiation (not for reseeding)
87and only in the case where the DRBG uses a derivation function.
88The callbacks are analogous to get_entropy() and cleanup_entropy(),
89except for the missing prediction_resistance flag.
90
91If the derivation function is disabled, then no nonce is used for instantiation,
92and the B<get_nonce>() and B<cleanup_nonce>() callbacks can be omitted by
93setting them to NULL.
94
95
96=head1 RETURN VALUES
97
98RAND_DRBG_set_callbacks() return 1 on success, and 0 on failure
99
100=head1 NOTES
101
102It is important that B<cleanup_entropy>() and B<cleanup_nonce>() clear the buffer
103contents safely before freeing it, in order not to leave sensitive information
104about the DRBG's state in memory.
105
106A request for prediction resistance can only be satisfied by pulling fresh
107entropy from one of the approved entropy sources listed in section 5.5.2 of
108[NIST SP 800-90C].
109Since the default implementation of the get_entropy callback does not have access
110to such an approved entropy source, a request for prediction resistance will
111always fail.
112In other words, prediction resistance is currently not supported yet by the DRBG.
113
114The derivation function is disabled during initialization by calling the
115RAND_DRBG_set() function with the RAND_DRBG_FLAG_CTR_NO_DF flag.
116For more information on the derivation function and when it can be omitted,
117see [NIST SP 800-90A Rev. 1]. Roughly speaking it can be omitted if the random
118source has "full entropy", i.e., contains 8 bits of entropy per byte.
119
120Even if a nonce is required, the B<get_nonce>() and B<cleanup_nonce>()
121callbacks can be omitted by setting them to NULL.
122In this case the DRBG will automatically request an extra amount of entropy
123(using the B<get_entropy>() and B<cleanup_entropy>() callbacks) which it will
124utilize for the nonce, following the recommendations of [NIST SP 800-90A Rev. 1],
125section 8.6.7.
126
127=head1 SEE ALSO
128
129L<RAND_DRBG_new(3)>,
130L<RAND_DRBG_reseed(3)>,
131L<RAND_DRBG(7)>
132
133=head1 HISTORY
134
135The RAND_DRBG functions were added in OpenSSL 1.1.1.
136
137=head1 COPYRIGHT
138
139Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
140
141Licensed under the OpenSSL license (the "License").  You may not use
142this file except in compliance with the License.  You can obtain a copy
143in the file LICENSE in the source distribution or at
144L<https://www.openssl.org/source/license.html>.
145
146=cut
147