Commit 4917e911 authored by Dr. Matthias St. Pierre's avatar Dr. Matthias St. Pierre
Browse files

RAND_DRBG: add a function for setting the reseeding defaults 



The introduction of thread local public and private DRBG instances (#5547)
makes it very cumbersome to change the reseeding (time) intervals for
those instances. This commit provides a function to set the default
values for all subsequently created DRBG instances.

 int RAND_DRBG_set_reseed_defaults(
                                   unsigned int master_reseed_interval,
                                   unsigned int slave_reseed_interval,
                                   time_t master_reseed_time_interval,
                                   time_t slave_reseed_time_interval
                                   );

The function is intended only to be used during application initialization,
before any threads are created and before any random bytes are generated.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5576)
parent 9ad97942

crypto/rand/drbg_ctr.c

+1 −1
Original line number Diff line number Diff line
@@ -366,6 +366,6 @@ int drbg_ctr_init(RAND_DRBG *drbg) 
    }



    drbg->max_request = 1 << 16;

    drbg->reseed_interval = MAX_RESEED_INTERVAL;



    return 1;

}

crypto/rand/drbg_lib.c

+47 −8
Original line number Diff line number Diff line
@@ -113,6 +113,12 @@ static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG"; 


static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;



static unsigned int master_reseed_interval = MASTER_RESEED_INTERVAL;

static unsigned int slave_reseed_interval  = SLAVE_RESEED_INTERVAL;



static time_t master_reseed_time_interval = MASTER_RESEED_TIME_INTERVAL;

static time_t slave_reseed_time_interval  = SLAVE_RESEED_TIME_INTERVAL;



static RAND_DRBG *drbg_setup(RAND_DRBG *parent);



static RAND_DRBG *rand_drbg_new(int secure,
@@ -175,6 +181,15 @@ static RAND_DRBG *rand_drbg_new(int secure, 
    drbg->secure = secure && CRYPTO_secure_allocated(drbg);

    drbg->fork_count = rand_fork_count;

    drbg->parent = parent;



    if (parent == NULL) {

        drbg->reseed_interval = master_reseed_interval;

        drbg->reseed_time_interval = master_reseed_time_interval;

    } else {

        drbg->reseed_interval = slave_reseed_interval;

        drbg->reseed_time_interval = slave_reseed_time_interval;

    }



    if (RAND_DRBG_set(drbg, type, flags) == 0)

        goto err;
@@ -710,6 +725,38 @@ int RAND_DRBG_set_reseed_time_interval(RAND_DRBG *drbg, time_t interval) 
    return 1;

}



/*

 * Set the default values for reseed (time) intervals of new DRBG instances

 *

 * The default values can be set independently for master DRBG instances

 * (without a parent) and slave DRBG instances (with parent).

 *

 * Returns 1 on success, 0 on failure.

 */



int RAND_DRBG_set_reseed_defaults(

                                  unsigned int _master_reseed_interval,

                                  unsigned int _slave_reseed_interval,

                                  time_t _master_reseed_time_interval,

                                  time_t _slave_reseed_time_interval

                                  )

{

    if (_master_reseed_interval > MAX_RESEED_INTERVAL

        || _slave_reseed_interval > MAX_RESEED_INTERVAL)

        return 0;



    if (_master_reseed_time_interval > MAX_RESEED_TIME_INTERVAL

        || _slave_reseed_time_interval > MAX_RESEED_TIME_INTERVAL)

        return 0;



    master_reseed_interval = _master_reseed_interval;

    slave_reseed_interval = _slave_reseed_interval;



    master_reseed_time_interval = _master_reseed_time_interval;

    slave_reseed_time_interval = _slave_reseed_time_interval;



    return 1;

}



/*

 * Locks the given drbg. Locking a drbg which does not have locking
@@ -809,14 +856,6 @@ static RAND_DRBG *drbg_setup(RAND_DRBG *parent) 
    if (rand_drbg_enable_locking(drbg) == 0)

        goto err;



    if (parent == NULL) {

        drbg->reseed_interval = MASTER_RESEED_INTERVAL;

        drbg->reseed_time_interval = MASTER_RESEED_TIME_INTERVAL;

    } else {

        drbg->reseed_interval = SLAVE_RESEED_INTERVAL;

        drbg->reseed_time_interval = SLAVE_RESEED_TIME_INTERVAL;

    }



    /* enable seed propagation */

    drbg->reseed_counter = 1;

include/internal/rand.h

+7 −0
Original line number Diff line number Diff line
@@ -56,6 +56,13 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen); 
int RAND_DRBG_set_reseed_interval(RAND_DRBG *drbg, unsigned int interval);

int RAND_DRBG_set_reseed_time_interval(RAND_DRBG *drbg, time_t interval);



int RAND_DRBG_set_reseed_defaults(

                                  unsigned int master_reseed_interval,

                                  unsigned int slave_reseed_interval,

                                  time_t master_reseed_time_interval,

                                  time_t slave_reseed_time_interval

                                  );



RAND_DRBG *RAND_DRBG_get0_master(void);

RAND_DRBG *RAND_DRBG_get0_public(void);

RAND_DRBG *RAND_DRBG_get0_private(void);

util/libcrypto.num

+1 −0
Original line number Diff line number Diff line
@@ -4521,3 +4521,4 @@ OSSL_STORE_SEARCH_by_alias 4462 1_1_1 EXIST::FUNCTION: 
OSSL_STORE_LOADER_set_find              4463	1_1_1	EXIST::FUNCTION:

OSSL_STORE_SEARCH_free                  4464	1_1_1	EXIST::FUNCTION:

OSSL_STORE_SEARCH_get0_digest           4465	1_1_1	EXIST::FUNCTION:

RAND_DRBG_set_reseed_defaults           4466	1_1_1	EXIST::FUNCTION: