Tell the ciphers which DRBG to use for generating random bytes.

Reviewed-by: NRichard Levitte <levitte@openssl.org>
GH: #4672

crypto/evp/e_aes.c

@@ -17,6 +17,7 @@
 #include "internal/evp_int.h"
 #include "modes_lcl.h"
 #include <openssl/rand.h>
+#include <internal/rand.h>
 #include "evp_locl.h"
 
 typedef struct {
@@ -1404,8 +1405,14 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
             memcpy(gctx->iv, ptr, arg);
 
         enc = EVP_CIPHER_CTX_encrypting(c);
-        if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
-            return 0;
+        if (enc) {
+            if (c->drbg != NULL) {
+                if (RAND_DRBG_bytes(c->drbg, gctx->iv + arg, gctx->ivlen - arg) == 0)
+                    return 0;
+            } else if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) {
+                return 0;
+            }
+        }
 
         gctx->iv_gen = 1;
         return 1;
@@ -2632,9 +2639,14 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
             return 0;
         if (arg)
             memcpy(gctx->iv, ptr, arg);
-        if (EVP_CIPHER_CTX_encrypting(c)
-            && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
-            return 0;
+        if (EVP_CIPHER_CTX_encrypting(c)) {
+            if (c->drbg != NULL) {
+                if (RAND_DRBG_bytes(c->drbg, gctx->iv + arg, gctx->ivlen - arg) == 0)
+                    return 0;
+            } else if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) {
+                return 0;
+            }
+        }
         gctx->iv_gen = 1;
         return 1;
 

crypto/evp/e_aes_cbc_hmac_sha1.c

@@ -17,9 +17,11 @@
 #include <openssl/aes.h>
 #include <openssl/sha.h>
 #include <openssl/rand.h>
+#include <internal/rand.h>
 #include "modes_lcl.h"
 #include "internal/evp_int.h"
 #include "internal/constant_time_locl.h"
+#include "evp_locl.h"
 
 typedef struct {
     AES_KEY ks;
@@ -154,7 +156,8 @@ void aesni_multi_cbc_encrypt(CIPH_DESC *, void *, int);
 static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
                                          unsigned char *out,
                                          const unsigned char *inp,
-                                         size_t inp_len, int n4x)
+                                         size_t inp_len, int n4x,
+                                         RAND_DRBG *drbg)
 {                               /* n4x is 1 or 2 */
     HASH_DESC hash_d[8], edges[8];
     CIPH_DESC ciph_d[8];
@@ -174,8 +177,13 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
 #  endif
 
     /* ask for IVs in bulk */
-    if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0)
+    IVs = blocks[0].c;
+    if (drbg != NULL) {
+        if (RAND_DRBG_bytes(drbg, IVs, 16 * x4) == 0)
+            return 0;
+    } else if (RAND_bytes(IVs, 16 * x4) <= 0) {
         return 0;
+    }
 
     ctx = (SHA1_MB_CTX *) (storage + 32 - ((size_t)storage % 32)); /* align */
 
@@ -893,7 +901,8 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
 
             return (int)tls1_1_multi_block_encrypt(key, param->out,
                                                    param->inp, param->len,
-                                                   param->interleave / 4);
+                                                   param->interleave / 4,
+                                                   ctx->drbg);
         }
     case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT:
 # endif

crypto/evp/e_aes_cbc_hmac_sha256.c

@@ -18,9 +18,11 @@
 #include <openssl/aes.h>
 #include <openssl/sha.h>
 #include <openssl/rand.h>
+#include <internal/rand.h>
 #include "modes_lcl.h"
 #include "internal/constant_time_locl.h"
 #include "internal/evp_int.h"
+#include "evp_locl.h"
 
 typedef struct {
     AES_KEY ks;
@@ -150,7 +152,8 @@ void aesni_multi_cbc_encrypt(CIPH_DESC *, void *, int);
 static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
                                          unsigned char *out,
                                          const unsigned char *inp,
-                                         size_t inp_len, int n4x)
+                                         size_t inp_len, int n4x,
+                                         RAND_DRBG *drbg)
 {                               /* n4x is 1 or 2 */
     HASH_DESC hash_d[8], edges[8];
     CIPH_DESC ciph_d[8];
@@ -170,8 +173,13 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
 #  endif
 
     /* ask for IVs in bulk */
-    if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0)
+    IVs = blocks[0].c;
+    if (drbg != NULL) {
+        if (RAND_DRBG_bytes(drbg, IVs, 16 * x4) == 0)
+            return 0;
+    } else if (RAND_bytes(IVs, 16 * x4) <= 0) {
         return 0;
+    }
 
     /* align */
     ctx = (SHA256_MB_CTX *) (storage + 32 - ((size_t)storage % 32));
@@ -877,7 +885,8 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
 
             return (int)tls1_1_multi_block_encrypt(key, param->out,
                                                    param->inp, param->len,
-                                                   param->interleave / 4);
+                                                   param->interleave / 4,
+                                                   ctx->drbg);
         }
     case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT:
 # endif

crypto/evp/e_aria.c

@@ -15,6 +15,7 @@
 # include <openssl/rand.h>
 # include "internal/aria.h"
 # include "internal/evp_int.h"
+# include "internal/rand.h"
 # include "modes_lcl.h"
 # include "evp_locl.h"
 
@@ -301,9 +302,14 @@ static int aria_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
             return 0;
         if (arg)
             memcpy(gctx->iv, ptr, arg);
-        if (EVP_CIPHER_CTX_encrypting(c)
-            && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
-            return 0;
+        if (EVP_CIPHER_CTX_encrypting(c)) {
+            if (c->drbg != NULL) {
+                if (RAND_DRBG_bytes(c->drbg, gctx->iv + arg, gctx->ivlen - arg) == 0)
+                    return 0;
+            } else if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) {
+                return 0;
+            }
+        }
         gctx->iv_gen = 1;
         return 1;
 

crypto/evp/e_des.c

@@ -15,6 +15,8 @@
 # include "internal/evp_int.h"
 # include <openssl/des.h>
 # include <openssl/rand.h>
+# include <internal/rand.h>
+# include "evp_locl.h"
 
 typedef struct {
     union {
@@ -229,8 +231,12 @@ static int des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 
     switch (type) {
     case EVP_CTRL_RAND_KEY:
-        if (RAND_bytes(ptr, 8) <= 0)
+        if (c->drbg != NULL) {
+            if (RAND_DRBG_bytes(c->drbg, ptr, 8) == 0)
+                return 0;
+        } else if (RAND_bytes(ptr, 8) <= 0) {
             return 0;
+        }
         DES_set_odd_parity((DES_cblock *)ptr);
         return 1;
 

crypto/evp/e_des3.c

@@ -15,6 +15,7 @@
 # include "internal/evp_int.h"
 # include <openssl/des.h>
 # include <openssl/rand.h>
+# include <internal/rand.h>
 # include "evp_locl.h"
 
 typedef struct {
@@ -283,8 +284,12 @@ static int des3_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
 
     switch (type) {
     case EVP_CTRL_RAND_KEY:
-        if (RAND_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0)
+        if (ctx->drbg != NULL) {
+            if (RAND_DRBG_bytes(ctx->drbg, ptr, EVP_CIPHER_CTX_key_length(ctx)) == 0)
+                return 0;
+        } else if (RAND_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) {
             return 0;
+        }
         DES_set_odd_parity(deskey);
         if (EVP_CIPHER_CTX_key_length(ctx) >= 16)
             DES_set_odd_parity(deskey + 1);
@@ -372,8 +377,12 @@ static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
     memcpy(out + inl + 8, sha1tmp, 8);
     OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
     /* Generate random IV */
-    if (RAND_bytes(EVP_CIPHER_CTX_iv_noconst(ctx), 8) <= 0)
+    if (ctx->drbg != NULL) {
+        if (RAND_DRBG_bytes(ctx->drbg, EVP_CIPHER_CTX_iv_noconst(ctx), 8) == 0)
+            return -1;
+    } else if (RAND_bytes(EVP_CIPHER_CTX_iv_noconst(ctx), 8) <= 0) {
         return -1;
+    }
     memcpy(out, EVP_CIPHER_CTX_iv_noconst(ctx), 8);
     /* Encrypt everything after IV in place */
     des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8);

crypto/evp/evp_enc.c

@@ -15,6 +15,7 @@
 #include <openssl/rand.h>
 #include <openssl/engine.h>
 #include "internal/evp_int.h"
+#include "internal/rand.h"
 #include "evp_locl.h"
 
 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
@@ -577,6 +578,15 @@ int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad)
 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
 {
     int ret;
+
+    if (type == EVP_CTRL_GET_DRBG) {
+        *(RAND_DRBG **)ptr = ctx->drbg;
+        return 1;
+    }
+    if (type == EVP_CTRL_SET_DRBG) {
+        ctx->drbg = ptr;
+        return 1;
+    }
     if (!ctx->cipher) {
         EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_NO_CIPHER_SET);
         return 0;
@@ -600,8 +610,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
 {
     if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
         return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
-    if (RAND_bytes(key, ctx->key_len) <= 0)
+    if (ctx->drbg) {
+        if (RAND_DRBG_bytes(ctx->drbg, key, ctx->key_len) == 0)
+            return 0;
+    } else if (RAND_bytes(key, ctx->key_len) <= 0) {
         return 0;
+    }
     return 1;
 }
 

crypto/evp/evp_locl.h

@@ -39,6 +39,7 @@ struct evp_cipher_ctx_st {
     int final_used;
     int block_mask;
     unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
+    RAND_DRBG *drbg;
 } /* EVP_CIPHER_CTX */ ;
 
 int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,

crypto/evp/p_seal.c

@@ -14,6 +14,8 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include <internal/rand.h>
+#include "evp_locl.h"
 
 int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
                  unsigned char **ek, int *ekl, unsigned char *iv,
@@ -31,9 +33,14 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
         return 1;
     if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
         return 0;
-    if (EVP_CIPHER_CTX_iv_length(ctx)
-        && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0)
-        return 0;
+    if (EVP_CIPHER_CTX_iv_length(ctx)) {
+        if (ctx->drbg) {
+            if (RAND_DRBG_bytes(ctx->drbg, iv, EVP_CIPHER_CTX_iv_length(ctx)) == 0)
+                return 0;
+        } else if (RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) {
+            return 0;
+        }
+    }
 
     if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
         return 0;

doc/man3/EVP_EncryptInit.pod

@@ -457,6 +457,20 @@ This call is only valid when decrypting data.
 
 =back
 
+=head1 Random numbers
+
+The following can be used to select the DRBG that is used to generate the random
+numbers:
+
+EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_DRBG, 0, drbg)
+
+The following can be used to get the DRBG:
+
+EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_DRBG, 0, &drbg)
+
+By default it's set to NULL which results in RAND_bytes() being used.
+
+
 =head1 NOTES
 
 Where possible the B<EVP> interface to symmetric ciphers should be used in

include/openssl/evp.h

@@ -344,6 +344,8 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
 # define         EVP_CTRL_SET_PIPELINE_INPUT_BUFS        0x23
 /* Set the input buffer lengths to use for a pipelined operation */
 # define         EVP_CTRL_SET_PIPELINE_INPUT_LENS        0x24
+# define         EVP_CTRL_GET_DRBG                       0x25
+# define         EVP_CTRL_SET_DRBG                       0x26
 
 /* Padding modes */
 #define EVP_PADDING_PKCS7       1

ssl/s3_enc.c

@@ -167,6 +167,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
              */
             EVP_CIPHER_CTX_reset(s->enc_write_ctx);
         }
+        EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
         dd = s->enc_write_ctx;
         if (ssl_replace_hash(&s->write_hash, m) == NULL) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,

ssl/statem/statem_srvr.c

@@ -3753,6 +3753,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
                  SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
         goto err;
     }
+    EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
 
     p = senc;
     if (!i2d_SSL_SESSION(s->session, &p)) {

ssl/t1_enc.c

@@ -170,6 +170,7 @@ int tls1_change_cipher_state(SSL *s, int which)
                      ERR_R_MALLOC_FAILURE);
             goto err;
         }
+        EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
         dd = s->enc_write_ctx;
         if (SSL_IS_DTLS(s)) {
             mac_ctx = EVP_MD_CTX_new();

ssl/tls13_enc.c

@@ -406,6 +406,7 @@ int tls13_change_cipher_state(SSL *s, int which)
                          SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
+            EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
         }
         ciph_ctx = s->enc_write_ctx;
         iv = s->write_iv;