DRBG: make the derivation function the default for ctr_drbg

The NIST standard presents two alternative ways for seeding the
CTR DRBG, depending on whether a derivation function is used or not.
In Section 10.2.1 of NIST SP800-90Ar1 the following is assessed:

  The use of the derivation function is optional if either an
  approved RBG or an entropy source provides full entropy output
  when entropy input is requested by the DRBG mechanism.
  Otherwise, the derivation function shall be used.

Since the OpenSSL DRBG supports being reseeded from low entropy random
sources (using RAND_POOL), the use of a derivation function is mandatory.
For that reason we change the default and replace the opt-in flag
RAND_DRBG_FLAG_CTR_USE_DF with an opt-out flag RAND_DRBG_FLAG_CTR_NO_DF.
This change simplifies the RAND_DRBG_new() calls.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5294)

diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c
index 883c585c283b87e1e9afa1db3a0be1a00c854872..99cd9976d8782c407f0f65d3478226114dfc3b9e 100644 (file)
--- a/crypto/rand/drbg_ctr.c
+++ b/crypto/rand/drbg_ctr.c
@@ -221,7 +221,7 @@ static void ctr_update(RAND_DRBG *drbg,
         memcpy(ctr->V, ctr->K + 24, 8);
     }
 
-    if (drbg->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
+    if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
         /* If no input reuse existing derived value */
         if (in1 != NULL || nonce != NULL || in2 != NULL)
             ctr_df(ctr, in1, in1len, nonce, noncelen, in2, in2len);
@@ -272,7 +272,7 @@ static int drbg_ctr_generate(RAND_DRBG *drbg,
     if (adin != NULL && adinlen != 0) {
         ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0);
         /* This means we reuse derived value */
-        if (drbg->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
+        if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
             adin = NULL;
             adinlen = 1;
         }
@@ -338,7 +338,7 @@ int drbg_ctr_init(RAND_DRBG *drbg)
     drbg->strength = keylen * 8;
     drbg->seedlen = keylen + 16;
 
-    if (drbg->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
+    if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
         /* df initialisation */
         static unsigned char df_key[32] = {
             0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,

diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c
index c7a8dde7dc9dc73da145e29a4a90ae31d665fb19..c592a7b9d07486774a465d912e2a615d2f1fdcb0 100644 (file)
--- a/crypto/rand/drbg_lib.c
+++ b/crypto/rand/drbg_lib.c
@@ -793,7 +793,7 @@ static RAND_DRBG *drbg_setup(RAND_DRBG *parent)
 {
     RAND_DRBG *drbg;
 
-    drbg = RAND_DRBG_secure_new(RAND_DRBG_NID, RAND_DRBG_FLAG_CTR_USE_DF, parent);
+    drbg = RAND_DRBG_secure_new(RAND_DRBG_NID, 0, parent);
     if (drbg == NULL)
         return NULL;
 

diff --git a/include/internal/rand.h b/include/internal/rand.h
index 1dde659716b1ecf467d22b6047bd4679b5c0a456..8d3e4528ba9d3f30bd7cac19c1d2c2dc0241b4ff 100644 (file)
--- a/include/internal/rand.h
+++ b/include/internal/rand.h
@@ -10,8 +10,8 @@
 #ifndef HEADER_DRBG_RAND_H
 # define HEADER_DRBG_RAND_H
 
-/* In CTR mode, use derivation function ctr_df */
-#define RAND_DRBG_FLAG_CTR_USE_DF            0x2
+/* In CTR mode, disable derivation function ctr_df */
+#define RAND_DRBG_FLAG_CTR_NO_DF            0x1
 
 /*
  * Default security strength (in the sense of [NIST SP 800-90Ar1])

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 6a5c03de6af83e4450877a2df9bd66a89b85ffc8..00e02f4dc7944ab4dda5c3eb94f2643d0eff948d 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -694,8 +694,7 @@ SSL *SSL_new(SSL_CTX *ctx)
      */
     if (RAND_get_rand_method() == RAND_OpenSSL()) {
         s->drbg =
-            RAND_DRBG_new(RAND_DRBG_NID, RAND_DRBG_FLAG_CTR_USE_DF,
-                          RAND_DRBG_get0_public());
+            RAND_DRBG_new(RAND_DRBG_NID, 0, RAND_DRBG_get0_public());
         if (s->drbg == NULL
             || RAND_DRBG_instantiate(s->drbg,
                                      (const unsigned char *) SSL_version_str,

diff --git a/test/drbgtest.c b/test/drbgtest.c
index 6e916c42cb62fe9f56965fd9c3f382ca82e199e8..c64628a7568ddc3755e0f71bebc688d9ce3ef81b 100644 (file)
--- a/test/drbgtest.c
+++ b/test/drbgtest.c
@@ -88,16 +88,19 @@ typedef struct drbg_selftest_data_st {
     pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \
     }
 
-#define make_drbg_test_data_df(nid, pr, p) \
-    make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_USE_DF, pr, p)
+#define make_drbg_test_data_use_df(nid, pr, p) \
+    make_drbg_test_data(nid, 0, pr, p)
+
+#define make_drbg_test_data_no_df(nid, pr, p)                      \
+    make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_NO_DF, pr, p)
 
 static DRBG_SELFTEST_DATA drbg_test[] = {
-    make_drbg_test_data   (NID_aes_128_ctr, 0, aes_128_no_df, 0),
-    make_drbg_test_data   (NID_aes_192_ctr, 0, aes_192_no_df, 0),
-    make_drbg_test_data   (NID_aes_256_ctr, 0, aes_256_no_df, 1),
-    make_drbg_test_data_df(NID_aes_128_ctr,    aes_128_use_df, 0),
-    make_drbg_test_data_df(NID_aes_192_ctr,    aes_192_use_df, 0),
-    make_drbg_test_data_df(NID_aes_256_ctr,    aes_256_use_df, 1),
+    make_drbg_test_data_no_df (NID_aes_128_ctr, aes_128_no_df,  0),
+    make_drbg_test_data_no_df (NID_aes_192_ctr, aes_192_no_df,  0),
+    make_drbg_test_data_no_df (NID_aes_256_ctr, aes_256_no_df,  1),
+    make_drbg_test_data_use_df(NID_aes_128_ctr, aes_128_use_df, 0),
+    make_drbg_test_data_use_df(NID_aes_192_ctr, aes_192_use_df, 0),
+    make_drbg_test_data_use_df(NID_aes_256_ctr, aes_256_use_df, 1),
 };
 
 static int app_data_index;