Return error when trying to use prediction resistance

There is a requirements of having access to a live entropy source
which we can't do with the default callbacks. If you need prediction
resistance you need to set up your own callbacks that follow the
requirements of NIST SP 800-90C.

Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
GH: #5402

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 728013ba84a898040672ef1f0f79d0d71812bc25..0052ddf2feefd68a580dbb958c9bf993bf4b7e77 100644 (file)
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2310,6 +2310,8 @@ RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED:128:no drbg implementation selected
 RAND_R_PARENT_LOCKING_NOT_ENABLED:130:parent locking not enabled
 RAND_R_PARENT_STRENGTH_TOO_WEAK:131:parent strength too weak
 RAND_R_PERSONALISATION_STRING_TOO_LONG:116:personalisation string too long
+RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED:133:\
+       prediction resistance not supported
 RAND_R_PRNG_NOT_SEEDED:100:PRNG not seeded
 RAND_R_RANDOM_POOL_OVERFLOW:125:random pool overflow
 RAND_R_REQUEST_TOO_LARGE_FOR_DRBG:117:request too large for drbg

diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c
index 36d484c726f075c7d59a918e21df756d84a336ee..0cd34ac4070d16b9fbd263eb7b8b6d0a4df92508 100644 (file)
--- a/crypto/rand/rand_err.c
+++ b/crypto/rand/rand_err.c
@@ -94,6 +94,8 @@ static const ERR_STRING_DATA RAND_str_reasons[] = {
     "parent strength too weak"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PERSONALISATION_STRING_TOO_LONG),
     "personalisation string too long"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED),
+    "prediction resistance not supported"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PRNG_NOT_SEEDED), "PRNG not seeded"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_RANDOM_POOL_OVERFLOW),
     "random pool overflow"},

diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 1e60ec4bb6241ef4d42a7b73475f74696cd05a1d..dfffb84b46041f933d5954883ac86eddeb66ec70 100644 (file)
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -217,7 +217,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
             rand_drbg_lock(drbg->parent);
             if (RAND_DRBG_generate(drbg->parent,
                                    buffer, bytes_needed,
-                                   0,
+                                   prediction_resistance,
                                    (unsigned char *)drbg, sizeof(*drbg)) != 0)
                 bytes = bytes_needed;
             rand_drbg_unlock(drbg->parent);
@@ -226,6 +226,17 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
         }
 
     } else {
+        if (prediction_resistance) {
+            /*
+             * We don't have any entropy sources that comply with the NIST
+             * standard to provide prediction resistance (see NIST SP 800-90C,
+             * Section 5.4).
+             */
+            RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY,
+                    RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED);
+            return 0;
+        }
+
         /* Get entropy by polling system entropy sources. */
         entropy_available = rand_pool_acquire_entropy(pool);
     }

diff --git a/include/openssl/randerr.h b/include/openssl/randerr.h
index afc8213927503fca98e5e078868c378666696dda..4746ad63d4f6c70813519cc4a30da75c08f16c5e 100644 (file)
--- a/include/openssl/randerr.h
+++ b/include/openssl/randerr.h
@@ -71,6 +71,7 @@ int ERR_load_RAND_strings(void);
 # define RAND_R_PARENT_LOCKING_NOT_ENABLED                130
 # define RAND_R_PARENT_STRENGTH_TOO_WEAK                  131
 # define RAND_R_PERSONALISATION_STRING_TOO_LONG           116
+# define RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED       133
 # define RAND_R_PRNG_NOT_SEEDED                           100
 # define RAND_R_RANDOM_POOL_OVERFLOW                      125
 # define RAND_R_REQUEST_TOO_LARGE_FOR_DRBG                117