Add DRBG random method

Ported from the last FIPS release, with DUAL_EC and SHA1 and the
self-tests removed.  Since only AES-CTR is supported, other code
simplifications were done.  Removed the "entropy blocklen" concept.

Moved internal functions to new include/internal/rand.h.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3789)

5 files changed, 93 insertions, 15 deletions

diff --git a/include/internal/rand.h b/include/internal/rand.h
new file mode 100644
index 0000000000..95ad712573
--- /dev/null
+++ b/include/internal/rand.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_DRBG_RAND_H
+# define HEADER_DRBG_RAND_H
+
+/* Flag for CTR mode only: use derivation function ctr_df */
+#define RAND_DRBG_FLAG_CTR_USE_DF            0x2
+
+const RAND_METHOD *RAND_drbg(void);
+
+int RAND_DRBG_set(DRBG_CTX *ctx, int type, unsigned int flags);
+DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent);
+int RAND_DRBG_instantiate(DRBG_CTX *dctx,
+                          const unsigned char *pers, size_t perslen);
+int RAND_DRBG_uninstantiate(DRBG_CTX *dctx);
+int RAND_DRBG_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
+int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
+                       int prediction_resistance,
+                       const unsigned char *adin, size_t adinlen);
+void RAND_DRBG_free(DRBG_CTX *dctx);
+
+int RAND_DRBG_set_callbacks(DRBG_CTX *dctx,
+    size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
+                          int entropy, size_t min_len, size_t max_len),
+    void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
+    size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
+                        int entropy, size_t min_len, size_t max_len),
+    void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen)
+    );
+
+void RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval);
+
+#define RAND_DRBG_get_ex_new_index(l, p, newf, dupf, freef) \
+    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DRBG, l, p, newf, dupf, freef)
+int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg);
+void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx);
+
+DRBG_CTX *RAND_DRBG_get_default(void);
+
+
+#endif
+
+
diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index ad2cfe5f07..f0bc98f320 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h
@@ -107,7 +107,8 @@ DEFINE_STACK_OF(void)
 # define CRYPTO_EX_INDEX_BIO             12
 # define CRYPTO_EX_INDEX_APP             13
 # define CRYPTO_EX_INDEX_UI_METHOD       14
-# define CRYPTO_EX_INDEX__COUNT          15
+# define CRYPTO_EX_INDEX_DRBG            15
+# define CRYPTO_EX_INDEX__COUNT          16
 
 /*
  * This is the default callbacks, but we can have others as well: this is
diff --git a/include/openssl/ossl_typ.h b/include/openssl/ossl_typ.h
index 173a42d3ff..49bdead4ce 100644
--- a/include/openssl/ossl_typ.h
+++ b/include/openssl/ossl_typ.h
@@ -114,6 +114,7 @@ typedef struct ec_key_st EC_KEY;
 typedef struct ec_key_method_st EC_KEY_METHOD;
 
 typedef struct rand_meth_st RAND_METHOD;
+typedef struct drbg_ctx_st DRBG_CTX;
 
 typedef struct ssl_dane_st SSL_DANE;
 typedef struct x509_st X509;
diff --git a/include/openssl/rand.h b/include/openssl/rand.h
index 5cda71b792..b6b33cf37a 100644
--- a/include/openssl/rand.h
+++ b/include/openssl/rand.h
@@ -38,15 +38,15 @@ const RAND_METHOD *RAND_get_rand_method(void);
 int RAND_set_rand_engine(ENGINE *engine);
 # endif
 RAND_METHOD *RAND_OpenSSL(void);
-#if OPENSSL_API_COMPAT < 0x10100000L
-# define RAND_cleanup() while(0) continue
-#endif
+# if OPENSSL_API_COMPAT < 0x10100000L
+#   define RAND_cleanup() while(0) continue
+# endif
 int RAND_bytes(unsigned char *buf, int num);
 DEPRECATEDIN_1_1_0(int RAND_pseudo_bytes(unsigned char *buf, int num))
 void RAND_seed(const void *buf, int num);
-#if defined(__ANDROID__) && defined(__NDK_FPABI__)
+# if defined(__ANDROID__) && defined(__NDK_FPABI__)
 __NDK_FPABI__	/* __attribute__((pcs("aapcs"))) on ARM */
-#endif
+# endif
 void RAND_add(const void *buf, int num, double randomness);
 int RAND_load_file(const char *file, long max_bytes);
 int RAND_write_file(const char *file);
@@ -59,15 +59,16 @@ int RAND_egd_bytes(const char *path, int bytes);
 # endif
 int RAND_poll(void);
 
-#if defined(_WIN32) && (defined(BASETYPES) || defined(_WINDEF_H))
+# if defined(_WIN32) && (defined(BASETYPES) || defined(_WINDEF_H))
 /* application has to include <windows.h> in order to use these */
 DEPRECATEDIN_1_1_0(void RAND_screen(void))
 DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM))
-#endif
+# endif
 
 int ERR_load_RAND_strings(void);
 
-# ifdef  __cplusplus
+#ifdef  __cplusplus
 }
-# endif
+#endif
+
 #endif
diff --git a/include/openssl/randerr.h b/include/openssl/randerr.h
index 244fd0e4b4..79c652fcdf 100644
--- a/include/openssl/randerr.h
+++ b/include/openssl/randerr.h
@@ -22,17 +22,42 @@ int ERR_load_RAND_strings(void);
 /*
  * RAND function codes.
  */
+# define RAND_F_DRBG_BYTES                                101
+# define RAND_F_DRBG_GET_ENTROPY                          105
+# define RAND_F_GET_ENTROPY                               106
 # define RAND_F_RAND_BYTES                                100
-# define RAND_F_RAND_LOAD_FILE                            101
-# define RAND_F_RAND_WRITE_FILE                           102
+# define RAND_F_RAND_DRBG_GENERATE                        107
+# define RAND_F_RAND_DRBG_INSTANTIATE                     108
+# define RAND_F_RAND_DRBG_NEW                             109
+# define RAND_F_RAND_DRBG_RESEED                          110
+# define RAND_F_RAND_DRBG_SET                             104
+# define RAND_F_RAND_LOAD_FILE                            111
+# define RAND_F_RAND_WRITE_FILE                           112
 
 /*
  * RAND reason codes.
  */
-# define RAND_R_CANNOT_OPEN_FILE                          102
+# define RAND_R_ADDITIONAL_INPUT_TOO_LONG                 102
+# define RAND_R_ALREADY_INSTANTIATED                      103
+# define RAND_R_CANNOT_OPEN_FILE                          121
+# define RAND_R_DRBG_NOT_INITIALISED                      104
+# define RAND_R_ERROR_INITIALISING_DRBG                   107
+# define RAND_R_ERROR_INSTANTIATING_DRBG                  108
+# define RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT         109
+# define RAND_R_ERROR_RETRIEVING_ENTROPY                  110
+# define RAND_R_ERROR_RETRIEVING_NONCE                    111
 # define RAND_R_FUNC_NOT_IMPLEMENTED                      101
-# define RAND_R_FWRITE_ERROR                              103
-# define RAND_R_NOT_A_REGULAR_FILE                        104
+# define RAND_R_FWRITE_ERROR                              123
+# define RAND_R_GENERATE_ERROR                            112
+# define RAND_R_INTERNAL_ERROR                            113
+# define RAND_R_IN_ERROR_STATE                            114
+# define RAND_R_NOT_A_REGULAR_FILE                        122
+# define RAND_R_NOT_INSTANTIATED                          115
+# define RAND_R_PERSONALISATION_STRING_TOO_LONG           116
 # define RAND_R_PRNG_NOT_SEEDED                           100
+# define RAND_R_REQUEST_TOO_LARGE_FOR_DRBG                117
+# define RAND_R_RESEED_ERROR                              118
+# define RAND_R_SELFTEST_FAILURE                          119
+# define RAND_R_UNSUPPORTED_DRBG_TYPE                     120
 
 #endif