Make sure we use a nonce when a nonce is required

{

    unsigned char *nonce = NULL, *entropy = NULL;

    size_t noncelen = 0, entropylen = 0;

    size_t min_entropy = drbg->strength;

    size_t min_entropylen = drbg->min_entropylen;

    size_t max_entropylen = drbg->max_entropylen;

    if (perslen > drbg->max_perslen) {

        RANDerr(RAND_F_RAND_DRBG_INSTANTIATE,

    }

    drbg->state = DRBG_ERROR;

    /*

     * NIST SP800-90Ar1 section 9.1 says you can combine getting the entropy

     * and nonce in 1 call by increasing the entropy with 50% and increasing

     * the minimum length to accomadate the length of the nonce.

     * We do this in case a nonce is require and get_nonce is NULL.

     */

    if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) {

        min_entropy += drbg->strength / 2;

        min_entropylen += drbg->min_noncelen;

        max_entropylen += drbg->max_noncelen;

    }

    if (drbg->get_entropy != NULL)

        entropylen = drbg->get_entropy(drbg, &entropy, drbg->strength,

                                       drbg->min_entropylen,

                                       drbg->max_entropylen, 0);

    if (entropylen < drbg->min_entropylen

        || entropylen > drbg->max_entropylen) {

        entropylen = drbg->get_entropy(drbg, &entropy, min_entropy,

                                       min_entropylen, max_entropylen, 0);

    if (entropylen < min_entropylen

        || entropylen > max_entropylen) {

        RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_RETRIEVING_ENTROPY);

        goto end;

    }

    if (drbg->max_noncelen > 0 && drbg->get_nonce != NULL) {

    if (drbg->min_noncelen > 0 && drbg->get_nonce != NULL) {

        noncelen = drbg->get_nonce(drbg, &nonce, drbg->strength / 2,

                                   drbg->min_noncelen, drbg->max_noncelen);

        if (noncelen < drbg->min_noncelen || noncelen > drbg->max_noncelen) {

            RANDerr(RAND_F_RAND_DRBG_INSTANTIATE,

                    RAND_R_ERROR_RETRIEVING_NONCE);

            RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_RETRIEVING_NONCE);

            goto end;

        }

    }

} RAND_DRBG_CTR;

/*

 * The 'random pool' acts as a dumb container for collecting random

 * input from various entropy sources. The pool has no knowledge about

 * whether its randomness is fed into a legacy RAND_METHOD via RAND_add()

 * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the

 * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and

 * 4) cleanup the random pool again.

 *

 * The random pool contains no locking mechanism because its scope and

 * lifetime is intended to be restricted to a single stack frame.

 */

struct rand_pool_st {

    unsigned char *buffer;  /* points to the beginning of the random pool */

    size_t len; /* current number of random bytes contained in the pool */

    size_t min_len; /* minimum number of random bytes requested */

    size_t max_len; /* maximum number of random bytes (allocated buffer size) */

    size_t entropy; /* current entropy count in bits */

    size_t requested_entropy; /* requested entropy count in bits */

};

/*

 * The state of all types of DRBGs, even though we only have CTR mode

 * right now.

    return ret;

}

/*

 * The 'random pool' acts as a dumb container for collecting random

 * input from various entropy sources. The pool has no knowledge about

 * whether its randomness is fed into a legacy RAND_METHOD via RAND_add()

 * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the

 * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and

 * 4) cleanup the random pool again.

 *

 * The random pool contains no locking mechanism because its scope and

 * lifetime is intended to be restricted to a single stack frame.

 */

struct rand_pool_st {

    unsigned char *buffer;  /* points to the beginning of the random pool */

    size_t len; /* current number of random bytes contained in the pool */

    size_t min_len; /* minimum number of random bytes requested */

    size_t max_len; /* maximum number of random bytes (allocated buffer size) */

    size_t entropy; /* current entropy count in bits */

    size_t requested_entropy; /* requested entropy count in bits */

};

/*

 * Allocate memory and initialize a new random pool

 */

#include <openssl/evp.h>

#include <openssl/aes.h>

#include "../crypto/rand/rand_lcl.h"

#include "../crypto/include/internal/rand_int.h"

#if defined(_WIN32)

# include <windows.h>

}

#endif

/*

 * This function only returns the entropy already added with RAND_add(),

 * and does not get entropy from the OS.

 *

 * Returns 0 on failure and the size of the buffer on success.

 */

static size_t get_pool_entropy(RAND_DRBG *drbg,

                               unsigned char **pout,

                               int entropy, size_t min_len, size_t max_len,

                               int prediction_resistance)

{

    if (drbg->pool == NULL)

        return 0;

    if (drbg->pool->entropy < (size_t)entropy || drbg->pool->len < min_len

        || drbg->pool->len > max_len)

        return 0;

    *pout = drbg->pool->buffer;

    return drbg->pool->len;

}

/*

 * Clean up the entropy that get_pool_entropy() returned.

 */

static void cleanup_pool_entropy(RAND_DRBG *drbg, unsigned char *out, size_t outlen)

{

    OPENSSL_secure_clear_free(drbg->pool->buffer, drbg->pool->max_len);

    OPENSSL_free(drbg->pool);

    drbg->pool = NULL;

}

/*

 * Test that instantiating works when OS entropy is not available and that

 * RAND_add() is enough to reseed it.

 */

static int test_rand_add(void)

{

    RAND_DRBG *master = RAND_DRBG_get0_master();

    RAND_DRBG_get_entropy_fn old_get_entropy = master->get_entropy;

    RAND_DRBG_cleanup_entropy_fn old_cleanup_entropy = master->cleanup_entropy;

    int rv = 0;

    unsigned char rand_add_buf[256];

    master->get_entropy = get_pool_entropy;

    master->cleanup_entropy = cleanup_pool_entropy;

    master->reseed_counter++;

    RAND_DRBG_uninstantiate(master);

    memset(rand_add_buf, 0xCD, sizeof(rand_add_buf));

    RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));

    if (!TEST_true(RAND_DRBG_instantiate(master, NULL, 0)))

        goto error;

    rv = 1;

error:

    master->get_entropy = old_get_entropy;

    master->cleanup_entropy = old_cleanup_entropy;

    return rv;

}

int setup_tests(void)

{

    app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);

    ADD_ALL_TESTS(test_kats, OSSL_NELEM(drbg_test));

    ADD_ALL_TESTS(test_error_checks, OSSL_NELEM(drbg_test));

    ADD_TEST(test_rand_reseed);

    ADD_TEST(test_rand_add);

#if defined(OPENSSL_THREADS)

    ADD_TEST(test_multi_thread);

#endif