DRBG: make the derivation function the default for ctr_drbg

The NIST standard presents two alternative ways for seeding the
CTR DRBG, depending on whether a derivation function is used or not.
In Section 10.2.1 of NIST SP800-90Ar1 the following is assessed:

  The use of the derivation function is optional if either an
  approved RBG or an entropy source provides full entropy output
  when entropy input is requested by the DRBG mechanism.
  Otherwise, the derivation function shall be used.

Since the OpenSSL DRBG supports being reseeded from low entropy random
sources (using RAND_POOL), the use of a derivation function is mandatory.
For that reason we change the default and replace the opt-in flag
RAND_DRBG_FLAG_CTR_USE_DF with an opt-out flag RAND_DRBG_FLAG_CTR_NO_DF.
This change simplifies the RAND_DRBG_new() calls.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5294)

1 files changed, 2 insertions, 2 deletions

diff --git a/include/internal/rand.h b/include/internal/rand.h
index 1dde659..8d3e452 100644
--- a/include/internal/rand.h
+++ b/include/internal/rand.h
@@ -10,8 +10,8 @@
 #ifndef HEADER_DRBG_RAND_H
 # define HEADER_DRBG_RAND_H
 
-/* In CTR mode, use derivation function ctr_df */
-#define RAND_DRBG_FLAG_CTR_USE_DF            0x2
+/* In CTR mode, disable derivation function ctr_df */
+#define RAND_DRBG_FLAG_CTR_NO_DF            0x1
 
 /*
  * Default security strength (in the sense of [NIST SP 800-90Ar1])