Standard preamble:
========================================================================
..
.... Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.
If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.
Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF
Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================
Title "EVP_RAND 7"
way too many mistakes in technical documents.
While the \s-1RAND API\s0 is the 'frontend' which is intended to be used by application developers for obtaining random bytes, the \s-1EVP_RAND API\s0 serves as the 'backend', connecting the former with the operating systems's entropy sources and providing access to deterministic random bit generators (\s-1DRBG\s0) and their configuration parameters. A \s-1DRBG\s0 is a certain type of cryptographically-secure pseudo-random number generator (\s-1CSPRNG\s0), which is described in [\s-1NIST SP 800-90A\s0 Rev. 1].
This is called chaining. A chained \s-1EVP_RAND\s0 instance is created by passing a pointer to the parent \s-1EVP_RAND_CTX\s0 as argument to the EVP_RAND_CTX_new() call. It is possible to create chains of more than two \s-1DRBG\s0 in a row. It is also possible to use any \s-1EVP_RAND_CTX\s0 class as the parent, however, only a live entropy source may ignore and not use its parent.
By default, the functions RAND_bytes\|(3) and RAND_priv_bytes\|(3) use the thread-local <public> and <private> \s-1DRBG\s0 instance, respectively.
Pointers to these \s-1DRBG\s0 instances can be obtained using \fBRAND_get0_primary(), RAND_get0_public() and RAND_get0_private(), respectively. Note that it is not allowed to store a pointer to one of the thread-local \s-1DRBG\s0 instances in a variable or other memory location where it will be accessed and used by multiple threads.
All other \s-1DRBG\s0 instances created by an application don't support locking, because they are intended to be used by a single thread. Instead of accessing a single \s-1DRBG\s0 instance concurrently from different threads, it is recommended to instantiate a separate \s-1DRBG\s0 instance per thread. Using the <primary> \s-1DRBG\s0 as entropy source for multiple \s-1DRBG\s0 instances on different threads is thread-safe, because the \s-1DRBG\s0 instance will lock the <primary> \s-1DRBG\s0 automatically for obtaining random input.
.Vb 10 +--------------------+ | os entropy sources | +--------------------+ | v +-----------------------------+ RAND_add() ==> <primary> <-| shared DRBG (with locking) | / \e +-----------------------------+ / \e +---------------------------+ <public> <private> <- | per-thread DRBG instances | | | +---------------------------+ v v RAND_bytes() RAND_priv_bytes() | ^ | | +------------------+ +------------------------------------+ | general purpose | | used for secrets like session keys | | random generator | | and private keys for certificates | +------------------+ +------------------------------------+ .Ve
The usual way to obtain random bytes is to call RAND_bytes(...) or RAND_priv_bytes(...). These calls are roughly equivalent to calling EVP_RAND_generate(<public>, ...) and EVP_RAND_generate(<private>, ...), respectively.
Automatic reseeding occurs after a predefined number of generate requests. The selection of the trusted entropy sources is configured at build time using the --with-rand-seed option. The following sections explain the reseeding process in more detail.
\- the \s-1DRBG\s0 was not instantiated (=seeded) yet or has been uninstantiated.
\- the number of generate requests since the last reseeding exceeds a certain threshold, the so called reseed_interval. This behaviour can be disabled by setting the reseed_interval to 0.
\- the time elapsed since the last reseeding exceeds a certain time interval, the so called reseed_time_interval. This can be disabled by setting the reseed_time_interval to 0.
\- the \s-1DRBG\s0 is in an error state.
\fBNote: An error state is entered if the entropy source fails while the \s-1DRBG\s0 is seeding or reseeding. The last case ensures that the \s-1DRBG\s0 automatically recovers from the error as soon as the entropy source is available again.
The document [\s-1NIST SP 800-90C\s0] describes prediction resistance requests in detail and imposes strict conditions on the entropy sources that are approved for providing prediction resistance. A request for prediction resistance can only be satisfied by pulling fresh entropy from a live entropy source (section 5.5.2 of [\s-1NIST SP 800-90C\s0]). It is up to the user to ensure that a live entropy source is configured and is being used.
For the three shared DRBGs (and only for these) there is another way to reseed them manually: If RAND_add\|(3) is called with a positive randomness argument (or RAND_seed\|(3)), then this will immediately reseed the <primary> \s-1DRBG.\s0 The <public> and <private> \s-1DRBG\s0 will detect this on their next generate call and reseed, pulling randomness from <primary>.
The last feature has been added to support the common practice used with previous OpenSSL versions to call RAND_add() before calling RAND_bytes().
The following two sections describe the reseeding process of the primary \s-1DRBG,\s0 depending on whether automatic reseeding is available or not.
\fBRAND_add() can be used to add both kinds of random input, depending on the value of the randomness argument:
\s-1NOTE:\s0 Manual reseeding is *not allowed* in \s-1FIPS\s0 mode, because [\s-1NIST\s0 SP-800-90Ar1] mandates that entropy *shall not* be provided by the consuming application for instantiation (Section 9.1) or reseeding (Section 9.2). For that reason, the randomness argument is ignored and the random bytes provided by the RAND_add\|(3) and \fBRAND_seed\|(3) calls are treated as additional data.
\fBRAND_add() needs to be called for initial seeding and periodic reseeding. At least 48 bytes (384 bits) of randomness have to be provided, otherwise the (re-)seeding of the \s-1DRBG\s0 will fail. This corresponds to one and a half times the security strength of the \s-1DRBG.\s0 The extra half is used for the nonce during instantiation.
More precisely, the number of bytes needed for seeding depend on the \fIsecurity strength of the \s-1DRBG,\s0 which is set to 256 by default.
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.