1=pod 2 3=head1 NAME 4 5EVP_RAND, EVP_RAND_fetch, EVP_RAND_free, EVP_RAND_up_ref, EVP_RAND_CTX, 6EVP_RAND_CTX_new, EVP_RAND_CTX_free, EVP_RAND_instantiate, 7EVP_RAND_uninstantiate, EVP_RAND_generate, EVP_RAND_reseed, EVP_RAND_nonce, 8EVP_RAND_enable_locking, EVP_RAND_verify_zeroization, EVP_RAND_get_strength, 9EVP_RAND_get_state, 10EVP_RAND_get0_provider, EVP_RAND_CTX_get0_rand, EVP_RAND_is_a, 11EVP_RAND_get0_name, EVP_RAND_names_do_all, 12EVP_RAND_get0_description, 13EVP_RAND_CTX_get_params, 14EVP_RAND_CTX_set_params, EVP_RAND_do_all_provided, EVP_RAND_get_params, 15EVP_RAND_gettable_ctx_params, EVP_RAND_settable_ctx_params, 16EVP_RAND_CTX_gettable_params, EVP_RAND_CTX_settable_params, 17EVP_RAND_gettable_params, EVP_RAND_STATE_UNINITIALISED, EVP_RAND_STATE_READY, 18EVP_RAND_STATE_ERROR - EVP RAND routines 19 20=head1 SYNOPSIS 21 22 #include <openssl/evp.h> 23 24 typedef struct evp_rand_st EVP_RAND; 25 typedef struct evp_rand_ctx_st EVP_RAND_CTX; 26 27 EVP_RAND *EVP_RAND_fetch(OSSL_LIB_CTX *libctx, const char *algorithm, 28 const char *properties); 29 int EVP_RAND_up_ref(EVP_RAND *rand); 30 void EVP_RAND_free(EVP_RAND *rand); 31 EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, EVP_RAND_CTX *parent); 32 void EVP_RAND_CTX_free(EVP_RAND_CTX *ctx); 33 EVP_RAND *EVP_RAND_CTX_get0_rand(EVP_RAND_CTX *ctx); 34 int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]); 35 int EVP_RAND_CTX_get_params(EVP_RAND_CTX *ctx, OSSL_PARAM params[]); 36 int EVP_RAND_CTX_set_params(EVP_RAND_CTX *ctx, const OSSL_PARAM params[]); 37 const OSSL_PARAM *EVP_RAND_gettable_params(const EVP_RAND *rand); 38 const OSSL_PARAM *EVP_RAND_gettable_ctx_params(const EVP_RAND *rand); 39 const OSSL_PARAM *EVP_RAND_settable_ctx_params(const EVP_RAND *rand); 40 const OSSL_PARAM *EVP_RAND_CTX_gettable_params(EVP_RAND_CTX *ctx); 41 const OSSL_PARAM *EVP_RAND_CTX_settable_params(EVP_RAND_CTX *ctx); 42 const char *EVP_RAND_get0_name(const EVP_RAND *rand); 43 const char *EVP_RAND_get0_description(const EVP_RAND *rand); 44 int EVP_RAND_is_a(const EVP_RAND *rand, const char *name); 45 const OSSL_PROVIDER *EVP_RAND_get0_provider(const EVP_RAND *rand); 46 void EVP_RAND_do_all_provided(OSSL_LIB_CTX *libctx, 47 void (*fn)(EVP_RAND *rand, void *arg), 48 void *arg); 49 int EVP_RAND_names_do_all(const EVP_RAND *rand, 50 void (*fn)(const char *name, void *data), 51 void *data); 52 53 int EVP_RAND_instantiate(EVP_RAND_CTX *ctx, unsigned int strength, 54 int prediction_resistance, 55 const unsigned char *pstr, size_t pstr_len, 56 const OSSL_PARAM params[]); 57 int EVP_RAND_uninstantiate(EVP_RAND_CTX *ctx); 58 int EVP_RAND_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen, 59 unsigned int strength, int prediction_resistance, 60 const unsigned char *addin, size_t addin_len); 61 int EVP_RAND_reseed(EVP_RAND_CTX *ctx, int prediction_resistance, 62 const unsigned char *ent, size_t ent_len, 63 const unsigned char *addin, size_t addin_len); 64 int EVP_RAND_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen); 65 int EVP_RAND_enable_locking(EVP_RAND_CTX *ctx); 66 int EVP_RAND_verify_zeroization(EVP_RAND_CTX *ctx); 67 unsigned int EVP_RAND_get_strength(EVP_RAND_CTX *ctx); 68 int EVP_RAND_get_state(EVP_RAND_CTX *ctx); 69 70 #define EVP_RAND_STATE_UNINITIALISED 0 71 #define EVP_RAND_STATE_READY 1 72 #define EVP_RAND_STATE_ERROR 2 73 74=head1 DESCRIPTION 75 76The EVP RAND routines are a high-level interface to random number generators 77both deterministic and not. 78If you just want to generate random bytes then you don't need to use 79these functions: just call RAND_bytes() or RAND_priv_bytes(). 80If you want to do more, these calls should be used instead of the older 81RAND and RAND_DRBG functions. 82 83After creating a B<EVP_RAND_CTX> for the required algorithm using 84EVP_RAND_CTX_new(), inputs to the algorithm are supplied either by 85passing them as part of the EVP_RAND_instantiate() call or using calls to 86EVP_RAND_CTX_set_params() before calling EVP_RAND_instantiate(). Finally, 87call EVP_RAND_generate() to produce cryptographically secure random bytes. 88 89=head2 Types 90 91B<EVP_RAND> is a type that holds the implementation of a RAND. 92 93B<EVP_RAND_CTX> is a context type that holds the algorithm inputs. 94B<EVP_RAND_CTX> structures are reference counted. 95 96=head2 Algorithm implementation fetching 97 98EVP_RAND_fetch() fetches an implementation of a RAND I<algorithm>, given 99a library context I<libctx> and a set of I<properties>. 100See L<crypto(7)/ALGORITHM FETCHING> for further information. 101 102The returned value must eventually be freed with 103L<EVP_RAND_free(3)>. 104 105EVP_RAND_up_ref() increments the reference count of an already fetched 106RAND. 107 108EVP_RAND_free() frees a fetched algorithm. 109NULL is a valid parameter, for which this function is a no-op. 110 111=head2 Context manipulation functions 112 113EVP_RAND_CTX_new() creates a new context for the RAND implementation I<rand>. 114If not NULL, I<parent> specifies the seed source for this implementation. 115Not all random number generators need to have a seed source specified. 116If a parent is required, a NULL I<parent> will utilise the operating 117system entropy sources. 118It is recommended to minimise the number of random number generators that 119rely on the operating system for their randomness because this is often scarce. 120 121EVP_RAND_CTX_free() frees up the context I<ctx>. If I<ctx> is NULL, nothing 122is done. 123 124EVP_RAND_CTX_get0_rand() returns the B<EVP_RAND> associated with the context 125I<ctx>. 126 127=head2 Random Number Generator Functions 128 129EVP_RAND_instantiate() processes any parameters in I<params> and 130then instantiates the RAND I<ctx> with a minimum security strength 131of <strength> and personalisation string I<pstr> of length <pstr_len>. 132If I<prediction_resistance> is specified, fresh entropy from a live source 133will be sought. This call operates as per NIST SP 800-90A and SP 800-90C. 134 135EVP_RAND_uninstantiate() uninstantiates the RAND I<ctx> as per 136NIST SP 800-90A and SP 800-90C. Subsequent to this call, the RAND cannot 137be used to generate bytes. It can only be freed or instantiated again. 138 139EVP_RAND_generate() produces random bytes from the RAND I<ctx> with the 140additional input I<addin> of length I<addin_len>. The bytes 141produced will meet the security I<strength>. 142If I<prediction_resistance> is specified, fresh entropy from a live source 143will be sought. This call operates as per NIST SP 800-90A and SP 800-90C. 144 145EVP_RAND_reseed() reseeds the RAND with new entropy. 146Entropy I<ent> of length I<ent_len> bytes can be supplied as can additional 147input I<addin> of length I<addin_len> bytes. In the FIPS provider, both are 148treated as additional input as per NIST SP-800-90Ar1, Sections 9.1 and 9.2. 149Additional seed material is also drawn from the RAND's parent or the 150operating system. If I<prediction_resistance> is specified, fresh entropy 151from a live source will be sought. This call operates as per NIST SP 800-90A 152and SP 800-90C. 153 154EVP_RAND_nonce() creates a nonce in I<out> of length I<outlen> 155bytes from the RAND I<ctx>. 156 157EVP_RAND_enable_locking() enables locking for the RAND I<ctx> and all of 158its parents. After this I<ctx> will operate in a thread safe manner, albeit 159more slowly. This function is not itself thread safe if called with the same 160I<ctx> from multiple threads. Typically locking should be enabled before a 161I<ctx> is shared across multiple threads. 162 163EVP_RAND_get_params() retrieves details about the implementation 164I<rand>. 165The set of parameters given with I<params> determine exactly what 166parameters should be retrieved. 167Note that a parameter that is unknown in the underlying context is 168simply ignored. 169 170EVP_RAND_CTX_get_params() retrieves chosen parameters, given the 171context I<ctx> and its underlying context. 172The set of parameters given with I<params> determine exactly what 173parameters should be retrieved. 174Note that a parameter that is unknown in the underlying context is 175simply ignored. 176 177EVP_RAND_CTX_set_params() passes chosen parameters to the underlying 178context, given a context I<ctx>. 179The set of parameters given with I<params> determine exactly what 180parameters are passed down. 181Note that a parameter that is unknown in the underlying context is 182simply ignored. 183Also, what happens when a needed parameter isn't passed down is 184defined by the implementation. 185 186EVP_RAND_gettable_params() returns an L<OSSL_PARAM(3)> array that describes 187the retrievable and settable parameters. EVP_RAND_gettable_params() returns 188parameters that can be used with EVP_RAND_get_params(). 189 190EVP_RAND_gettable_ctx_params() and EVP_RAND_CTX_gettable_params() return 191constant L<OSSL_PARAM(3)> arrays that describe the retrievable parameters that 192can be used with EVP_RAND_CTX_get_params(). EVP_RAND_gettable_ctx_params() 193returns the parameters that can be retrieved from the algorithm, whereas 194EVP_RAND_CTX_gettable_params() returns the parameters that can be retrieved 195in the context's current state. 196 197EVP_RAND_settable_ctx_params() and EVP_RAND_CTX_settable_params() return 198constant L<OSSL_PARAM(3)> arrays that describe the settable parameters that 199can be used with EVP_RAND_CTX_set_params(). EVP_RAND_settable_ctx_params() 200returns the parameters that can be retrieved from the algorithm, whereas 201EVP_RAND_CTX_settable_params() returns the parameters that can be retrieved 202in the context's current state. 203 204=head2 Information functions 205 206EVP_RAND_get_strength() returns the security strength of the RAND I<ctx>. 207 208EVP_RAND_get_state() returns the current state of the RAND I<ctx>. 209States defined by the OpenSSL RNGs are: 210 211=over 4 212 213=item * 214 215EVP_RAND_STATE_UNINITIALISED: this RNG is currently uninitialised. 216The instantiate call will change this to the ready state. 217 218=item * 219 220EVP_RAND_STATE_READY: this RNG is currently ready to generate output. 221 222=item * 223 224EVP_RAND_STATE_ERROR: this RNG is in an error state. 225 226=back 227 228EVP_RAND_is_a() returns 1 if I<rand> is an implementation of an 229algorithm that's identifiable with I<name>, otherwise 0. 230 231EVP_RAND_get0_provider() returns the provider that holds the implementation 232of the given I<rand>. 233 234EVP_RAND_do_all_provided() traverses all RAND implemented by all activated 235providers in the given library context I<libctx>, and for each of the 236implementations, calls the given function I<fn> with the implementation method 237and the given I<arg> as argument. 238 239EVP_RAND_get0_name() returns the canonical name of I<rand>. 240 241EVP_RAND_names_do_all() traverses all names for I<rand>, and calls 242I<fn> with each name and I<data>. 243 244EVP_RAND_get0_description() returns a description of the rand, meant for 245display and human consumption. The description is at the discretion of 246the rand implementation. 247 248EVP_RAND_verify_zeroization() confirms if the internal DRBG state is 249currently zeroed. This is used by the FIPS provider to support the mandatory 250self tests. 251 252=head1 PARAMETERS 253 254The standard parameter names are: 255 256=over 4 257 258=item "state" (B<OSSL_RAND_PARAM_STATE>) <integer> 259 260Returns the state of the random number generator. 261 262=item "strength" (B<OSSL_RAND_PARAM_STRENGTH>) <unsigned integer> 263 264Returns the bit strength of the random number generator. 265 266=back 267 268For rands that are also deterministic random bit generators (DRBGs), these 269additional parameters are recognised. Not all 270parameters are relevant to, or are understood by all DRBG rands: 271 272=over 4 273 274=item "reseed_requests" (B<OSSL_DRBG_PARAM_RESEED_REQUESTS>) <unsigned integer> 275 276Reads or set the number of generate requests before reseeding the 277associated RAND ctx. 278 279=item "reseed_time_interval" (B<OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL>) <integer> 280 281Reads or set the number of elapsed seconds before reseeding the 282associated RAND ctx. 283 284=item "max_request" (B<OSSL_DRBG_PARAM_RESEED_REQUESTS>) <unsigned integer> 285 286Specifies the maximum number of bytes that can be generated in a single 287call to OSSL_FUNC_rand_generate. 288 289=item "min_entropylen" (B<OSSL_DRBG_PARAM_MIN_ENTROPYLEN>) <unsigned integer> 290 291=item "max_entropylen" (B<OSSL_DRBG_PARAM_MAX_ENTROPYLEN>) <unsigned integer> 292 293Specify the minimum and maximum number of bytes of random material that 294can be used to seed the DRBG. 295 296=item "min_noncelen" (B<OSSL_DRBG_PARAM_MIN_NONCELEN>) <unsigned integer> 297 298=item "max_noncelen" (B<OSSL_DRBG_PARAM_MAX_NONCELEN>) <unsigned integer> 299 300Specify the minimum and maximum number of bytes of nonce that can be used to 301seed the DRBG. 302 303=item "max_perslen" (B<OSSL_DRBG_PARAM_MAX_PERSLEN>) <unsigned integer> 304 305=item "max_adinlen" (B<OSSL_DRBG_PARAM_MAX_ADINLEN>) <unsigned integer> 306 307Specify the minimum and maximum number of bytes of personalisation string 308that can be used with the DRBG. 309 310=item "reseed_counter" (B<OSSL_DRBG_PARAM_RESEED_COUNTER>) <unsigned integer> 311 312Specifies the number of times the DRBG has been seeded or reseeded. 313 314=item "properties" (B<OSSL_RAND_PARAM_PROPERTIES>) <UTF8 string> 315 316=item "mac" (B<OSSL_RAND_PARAM_MAC>) <UTF8 string> 317 318=item "digest" (B<OSSL_RAND_PARAM_DIGEST>) <UTF8 string> 319 320=item "cipher" (B<OSSL_RAND_PARAM_CIPHER>) <UTF8 string> 321 322For RAND implementations that use an underlying computation MAC, digest or 323cipher, these parameters set what the algorithm should be. 324 325The value is always the name of the intended algorithm, 326or the properties in the case of B<OSSL_RAND_PARAM_PROPERTIES>. 327 328=back 329 330=head1 NOTES 331 332The use of a nonzero value for the I<prediction_resistance> argument to 333EVP_RAND_instantiate(), EVP_RAND_generate() or EVP_RAND_reseed() should 334be used sparingly. In the default setup, this will cause all public and 335private DRBGs to be reseeded on next use. Since, by default, public and 336private DRBGs are allocated on a per thread basis, this can result in 337significant overhead for highly multi-threaded applications. For normal 338use-cases, the default "reseed_requests" and "reseed_time_interval" 339thresholds ensure sufficient prediction resistance over time and you 340can reduce those values if you think they are too high. Explicitly 341requesting prediction resistance is intended for more special use-cases 342like generating long-term secrets. 343 344An B<EVP_RAND_CTX> needs to have locking enabled if it acts as the parent of 345more than one child and the children can be accessed concurrently. This must 346be done by explicitly calling EVP_RAND_enable_locking(). 347 348The RAND life-cycle is described in L<life_cycle-rand(7)>. In the future, 349the transitions described there will be enforced. When this is done, it will 350not be considered a breaking change to the API. 351 352=head1 RETURN VALUES 353 354EVP_RAND_fetch() returns a pointer to a newly fetched B<EVP_RAND>, or 355NULL if allocation failed. 356 357EVP_RAND_get0_provider() returns a pointer to the provider for the RAND, or 358NULL on error. 359 360EVP_RAND_CTX_get0_rand() returns a pointer to the B<EVP_RAND> associated 361with the context. 362 363EVP_RAND_get0_name() returns the name of the random number generation 364algorithm. 365 366EVP_RAND_up_ref() returns 1 on success, 0 on error. 367 368EVP_RAND_names_do_all() returns 1 if the callback was called for all names. A 369return value of 0 means that the callback was not called for any names. 370 371EVP_RAND_CTX_new() returns either the newly allocated 372B<EVP_RAND_CTX> structure or NULL if an error occurred. 373 374EVP_RAND_CTX_free() does not return a value. 375 376EVP_RAND_nonce() returns 1 on success, 0 on error. 377 378EVP_RAND_get_strength() returns the strength of the random number generator 379in bits. 380 381EVP_RAND_gettable_params(), EVP_RAND_gettable_ctx_params() and 382EVP_RAND_settable_ctx_params() return an array of OSSL_PARAMs. 383 384EVP_RAND_verify_zeroization() returns 1 if the internal DRBG state is 385currently zeroed, and 0 if not. 386 387The remaining functions return 1 for success and 0 or a negative value for 388failure. 389 390=head1 SEE ALSO 391 392L<RAND_bytes(3)>, 393L<EVP_RAND-CTR-DRBG(7)>, 394L<EVP_RAND-HASH-DRBG(7)>, 395L<EVP_RAND-HMAC-DRBG(7)>, 396L<EVP_RAND-TEST-RAND(7)>, 397L<provider-rand(7)>, 398L<life_cycle-rand(7)> 399 400=head1 HISTORY 401 402This functionality was added to OpenSSL 3.0. 403 404=head1 COPYRIGHT 405 406Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. 407 408Licensed under the Apache License 2.0 (the "License"). You may not use 409this file except in compliance with the License. You can obtain a copy 410in the file LICENSE in the source distribution or at 411L<https://www.openssl.org/source/license.html>. 412 413=cut 414