1RAND_DRBG_SET_CALLBACKS(3)          OpenSSL         RAND_DRBG_SET_CALLBACKS(3)
2
3
4

NAME

6       RAND_DRBG_set_callbacks, RAND_DRBG_get_entropy_fn,
7       RAND_DRBG_cleanup_entropy_fn, RAND_DRBG_get_nonce_fn,
8       RAND_DRBG_cleanup_nonce_fn - set callbacks for reseeding
9

SYNOPSIS

11        #include <openssl/rand_drbg.h>
12
13
14        int RAND_DRBG_set_callbacks(RAND_DRBG *drbg,
15                                    RAND_DRBG_get_entropy_fn get_entropy,
16                                    RAND_DRBG_cleanup_entropy_fn cleanup_entropy,
17                                    RAND_DRBG_get_nonce_fn get_nonce,
18                                    RAND_DRBG_cleanup_nonce_fn cleanup_nonce);
19
20   Callback Functions
21        typedef size_t (*RAND_DRBG_get_entropy_fn)(
22                              RAND_DRBG *drbg,
23                              unsigned char **pout,
24                              int entropy,
25                              size_t min_len, size_t max_len,
26                              int prediction_resistance);
27
28        typedef void (*RAND_DRBG_cleanup_entropy_fn)(
29                            RAND_DRBG *drbg,
30                            unsigned char *out, size_t outlen);
31
32        typedef size_t (*RAND_DRBG_get_nonce_fn)(
33                              RAND_DRBG *drbg,
34                              unsigned char **pout,
35                              int entropy,
36                              size_t min_len, size_t max_len);
37
38        typedef void (*RAND_DRBG_cleanup_nonce_fn)(
39                            RAND_DRBG *drbg,
40                            unsigned char *out, size_t outlen);
41

DESCRIPTION

43       RAND_DRBG_set_callbacks() sets the callbacks for obtaining fresh
44       entropy and the nonce when reseeding the given drbg.  The callback
45       functions are implemented and provided by the caller.  Their parameter
46       lists need to match the function prototypes above.
47
48       Setting the callbacks is allowed only if the DRBG has not been
49       initialized yet.  Otherwise, the operation will fail.  To change the
50       settings for one of the three shared DRBGs it is necessary to call
51       RAND_DRBG_uninstantiate() first.
52
53       The get_entropy() callback is called by the drbg when it requests fresh
54       random input.  It is expected that the callback allocates and fills a
55       random buffer of size min_len <= size <= max_len (in bytes) which
56       contains at least entropy bits of randomness.  The
57       prediction_resistance flag indicates whether the reseeding was
58       triggered by a prediction resistance request.
59
60       The buffer's address is to be returned in *pout and the number of
61       collected randomness bytes as return value.
62
63       If the callback fails to acquire at least entropy bits of randomness,
64       it must indicate an error by returning a buffer length of 0.
65
66       If prediction_resistance was requested and the random source of the
67       DRBG does not satisfy the conditions requested by [NIST SP 800-90C],
68       then it must also indicate an error by returning a buffer length of 0.
69       See NOTES section for more details.
70
71       The cleanup_entropy() callback is called from the drbg to clear and
72       free the buffer allocated previously by get_entropy().  The values out
73       and outlen are the random buffer's address and length, as returned by
74       the get_entropy() callback.
75
76       The get_nonce() and cleanup_nonce() callbacks are used to obtain a
77       nonce and free it again. A nonce is only required for instantiation
78       (not for reseeding) and only in the case where the DRBG uses a
79       derivation function.  The callbacks are analogous to get_entropy() and
80       cleanup_entropy(), except for the missing prediction_resistance flag.
81
82       If the derivation function is disabled, then no nonce is used for
83       instantiation, and the get_nonce() and cleanup_nonce() callbacks can be
84       omitted by setting them to NULL.
85

RETURN VALUES

87       RAND_DRBG_set_callbacks() return 1 on success, and 0 on failure
88

NOTES

90       It is important that cleanup_entropy() and cleanup_nonce() clear the
91       buffer contents safely before freeing it, in order not to leave
92       sensitive information about the DRBG's state in memory.
93
94       A request for prediction resistance can only be satisfied by pulling
95       fresh entropy from one of the approved entropy sources listed in
96       section 5.5.2 of [NIST SP 800-90C].  Since the default implementation
97       of the get_entropy callback does not have access to such an approved
98       entropy source, a request for prediction resistance will always fail.
99       In other words, prediction resistance is currently not supported yet by
100       the DRBG.
101
102       The derivation function is disabled during initialization by calling
103       the RAND_DRBG_set() function with the RAND_DRBG_FLAG_CTR_NO_DF flag.
104       For more information on the derivation function and when it can be
105       omitted, see [NIST SP 800-90A Rev. 1]. Roughly speaking it can be
106       omitted if the random source has "full entropy", i.e., contains 8 bits
107       of entropy per byte.
108
109       Even if a nonce is required, the get_nonce() and cleanup_nonce()
110       callbacks can be omitted by setting them to NULL.  In this case the
111       DRBG will automatically request an extra amount of entropy (using the
112       get_entropy() and cleanup_entropy() callbacks) which it will utilize
113       for the nonce, following the recommendations of [NIST SP 800-90A Rev.
114       1], section 8.6.7.
115

SEE ALSO

117       RAND_DRBG_new(3), RAND_DRBG_reseed(3), RAND_DRBG(7)
118

HISTORY

120       The RAND_DRBG functions were added in OpenSSL 1.1.1.
121
123       Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
124
125       Licensed under the OpenSSL license (the "License").  You may not use
126       this file except in compliance with the License.  You can obtain a copy
127       in the file LICENSE in the source distribution or at
128       <https://www.openssl.org/source/license.html>.
129
130
131
1321.1.1i                            2021-01-26        RAND_DRBG_SET_CALLBACKS(3)
Impressum