diff options
Diffstat (limited to 'crypto/rand')
-rw-r--r-- | crypto/rand/drbg_lib.c | 30 | ||||
-rw-r--r-- | crypto/rand/rand_lcl.h | 21 | ||||
-rw-r--r-- | crypto/rand/rand_lib.c | 21 |
3 files changed, 43 insertions, 29 deletions
diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index e1b3ddb57f..b9ad1b8867 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -266,6 +266,9 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg, { unsigned char *nonce = NULL, *entropy = NULL; size_t noncelen = 0, entropylen = 0; + size_t min_entropy = drbg->strength; + size_t min_entropylen = drbg->min_entropylen; + size_t max_entropylen = drbg->max_entropylen; if (perslen > drbg->max_perslen) { RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, @@ -288,22 +291,33 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg, } drbg->state = DRBG_ERROR; + + /* + * NIST SP800-90Ar1 section 9.1 says you can combine getting the entropy + * and nonce in 1 call by increasing the entropy with 50% and increasing + * the minimum length to accomadate the length of the nonce. + * We do this in case a nonce is require and get_nonce is NULL. + */ + if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) { + min_entropy += drbg->strength / 2; + min_entropylen += drbg->min_noncelen; + max_entropylen += drbg->max_noncelen; + } + if (drbg->get_entropy != NULL) - entropylen = drbg->get_entropy(drbg, &entropy, drbg->strength, - drbg->min_entropylen, - drbg->max_entropylen, 0); - if (entropylen < drbg->min_entropylen - || entropylen > drbg->max_entropylen) { + entropylen = drbg->get_entropy(drbg, &entropy, min_entropy, + min_entropylen, max_entropylen, 0); + if (entropylen < min_entropylen + || entropylen > max_entropylen) { RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_RETRIEVING_ENTROPY); goto end; } - if (drbg->max_noncelen > 0 && drbg->get_nonce != NULL) { + if (drbg->min_noncelen > 0 && drbg->get_nonce != NULL) { noncelen = drbg->get_nonce(drbg, &nonce, drbg->strength / 2, drbg->min_noncelen, drbg->max_noncelen); if (noncelen < drbg->min_noncelen || noncelen > drbg->max_noncelen) { - RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, - RAND_R_ERROR_RETRIEVING_NONCE); + RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_RETRIEVING_NONCE); goto end; } } diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h index 0a34aa0b93..94ffc96f20 100644 --- a/crypto/rand/rand_lcl.h +++ b/crypto/rand/rand_lcl.h @@ -108,6 +108,27 @@ typedef struct rand_drbg_ctr_st { /* + * The 'random pool' acts as a dumb container for collecting random + * input from various entropy sources. The pool has no knowledge about + * whether its randomness is fed into a legacy RAND_METHOD via RAND_add() + * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the + * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and + * 4) cleanup the random pool again. + * + * The random pool contains no locking mechanism because its scope and + * lifetime is intended to be restricted to a single stack frame. + */ +struct rand_pool_st { + unsigned char *buffer; /* points to the beginning of the random pool */ + size_t len; /* current number of random bytes contained in the pool */ + + size_t min_len; /* minimum number of random bytes requested */ + size_t max_len; /* maximum number of random bytes (allocated buffer size) */ + size_t entropy; /* current entropy count in bits */ + size_t requested_entropy; /* requested entropy count in bits */ +}; + +/* * The state of all types of DRBGs, even though we only have CTR mode * right now. */ diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index defa3ecb53..143dfb0f19 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -467,27 +467,6 @@ err: } /* - * The 'random pool' acts as a dumb container for collecting random - * input from various entropy sources. The pool has no knowledge about - * whether its randomness is fed into a legacy RAND_METHOD via RAND_add() - * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the - * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and - * 4) cleanup the random pool again. - * - * The random pool contains no locking mechanism because its scope and - * lifetime is intended to be restricted to a single stack frame. - */ -struct rand_pool_st { - unsigned char *buffer; /* points to the beginning of the random pool */ - size_t len; /* current number of random bytes contained in the pool */ - - size_t min_len; /* minimum number of random bytes requested */ - size_t max_len; /* maximum number of random bytes (allocated buffer size) */ - size_t entropy; /* current entropy count in bits */ - size_t requested_entropy; /* requested entropy count in bits */ -}; - -/* * Allocate memory and initialize a new random pool */ |