wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added DRBG_HMAC & DRBG_HASH + Added defaults for setting DRBG for master/public/private + renamed generate_counter back to reseed_counter + generated new cavs data tests

Browse source 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6779)
This commit is contained in:
Shane Lontis 2018-07-24 11:16:38 +10:00 committed by Pauli
parent 1362190b1b
commit 8bf3665196
18 changed files with 18526 additions and 170425 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
crypto/rand/build.info
View file

@ -1,4 +1,6 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
randfile.c rand_lib.c rand_err.c rand_egd.c \
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c \
drbg_hash.c drbg_hmac.c

3
crypto/rand/drbg_ctr.c
View file

@ -13,12 +13,11 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#include "internal/thread_once.h"
#include "internal/thread_once.h"
#include "rand_lcl.h"
/*
* Implementation of NIST SP 800-90A CTR DRBG.
*/
static void inc_128(RAND_DRBG_CTR *ctr)
{
int i;

347
crypto/rand/drbg_hash.c Normal file
View file

@ -0,0 +1,347 @@
/*
* Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include "internal/thread_once.h"
#include "rand_lcl.h"
/* 440 bits from SP800-90Ar1 10.1 table 2 */
#define HASH_PRNG_SMALL_SEEDLEN (440/8)
/* Determine what seedlen to use based on the block length */
#define MAX_BLOCKLEN_USING_SMALL_SEEDLEN (256/8)
#define INBYTE_IGNORE ((unsigned char)0xFF)
/*
* SP800-90Ar1 10.3.1 Derivation function using a Hash Function (Hash_df).
* The input string used is composed of:
* inbyte - An optional leading byte (ignore if equal to INBYTE_IGNORE)
* in - input string 1 (A Non NULL value).
* in2 - optional input string (Can be NULL).
* in3 - optional input string (Can be NULL).
* These are concatenated as part of the DigestUpdate process.
*/
static int hash_df(RAND_DRBG *drbg, unsigned char *out,
const unsigned char inbyte,
const unsigned char *in, size_t inlen,
const unsigned char *in2, size_t in2len,
const unsigned char *in3, size_t in3len)
{
RAND_DRBG_HASH *hash = &drbg->data.hash;
EVP_MD_CTX *ctx = hash->ctx;
unsigned char *vtmp = hash->vtmp;
/* tmp = counter || num_bits_returned || [inbyte] */
unsigned char tmp[1 + 4 + 1];
int tmp_sz = 0;
size_t outlen = drbg->seedlen;
size_t num_bits_returned = outlen * 8;
/*
* No need to check outlen size here, as the standard only ever needs
* seedlen bytes which is always less than the maximum permitted.
*/
/* (Step 3) counter = 1 (tmp[0] is the 8 bit counter) */
tmp[tmp_sz++] = 1;
/* tmp[1..4] is the fixed 32 bit no_of_bits_to_return */
tmp[tmp_sz++] = (unsigned char)((num_bits_returned >> 24) & 0xff);
tmp[tmp_sz++] = (unsigned char)((num_bits_returned >> 16) & 0xff);
tmp[tmp_sz++] = (unsigned char)((num_bits_returned >> 8) & 0xff);
tmp[tmp_sz++] = (unsigned char)(num_bits_returned & 0xff);
/* Tack the additional input byte onto the end of tmp if it exists */
if (inbyte != INBYTE_IGNORE)
tmp[tmp_sz++] = inbyte;
/* (Step 4) */
for (;;) {
/*
* (Step 4.1) out = out || Hash(tmp || in || [in2] || [in3])
* (where tmp = counter || num_bits_returned || [inbyte])
*/
if (!(EVP_DigestInit_ex(ctx, hash->md, NULL)
&& EVP_DigestUpdate(ctx, tmp, tmp_sz)
&& EVP_DigestUpdate(ctx, in, inlen)
&& (in2 == NULL || EVP_DigestUpdate(ctx, in2, in2len))
&& (in3 == NULL || EVP_DigestUpdate(ctx, in3, in3len))))
return 0;
if (outlen < hash->blocklen) {
if (!EVP_DigestFinal(ctx, vtmp, NULL))
return 0;
memcpy(out, vtmp, outlen);
OPENSSL_cleanse(vtmp, hash->blocklen);
break;
} else if(!EVP_DigestFinal(ctx, out, NULL)) {
return 0;
}
outlen -= hash->blocklen;
if (outlen == 0)
break;
/* (Step 4.2) counter++ */
tmp[0]++;
out += hash->blocklen;
}
return 1;
}
/* Helper function that just passes 2 input parameters to hash_df() */
static int hash_df1(RAND_DRBG *drbg, unsigned char *out,
const unsigned char in_byte,
const unsigned char *in1, size_t in1len)
{
return hash_df(drbg, out, in_byte, in1, in1len, NULL, 0, NULL, 0);
}
/*
* Add 2 byte buffers together. The first elements in each buffer are the top
* most bytes. The result is stored in the dst buffer.
* The final carry is ignored i.e: dst = (dst + in) mod (2^seedlen_bits).
* where dst size is drbg->seedlen, and inlen <= drbg->seedlen.
*/
static int add_bytes(RAND_DRBG *drbg, unsigned char *dst,
unsigned char *in, size_t inlen)
{
size_t i;
int result;
const unsigned char *add;
unsigned char carry = 0, *d;
assert(drbg->seedlen >= 1 && inlen >= 1 && inlen <= drbg->seedlen);
d = &dst[drbg->seedlen - 1];
add = &in[inlen - 1];
for (i = inlen; i > 0; i--, d--, add--) {
result = *d + *add + carry;
carry = (unsigned char)(result >> 8);
*d = (unsigned char)(result & 0xff);
}
if (carry != 0) {
/* Add the carry to the top of the dst if inlen is not the same size */
for (i = drbg->seedlen - inlen; i > 0; --i, d--) {
*d += 1; /* Carry can only be 1 */
if (*d != 0) /* exit if carry doesnt propagate to the next byte */
break;
}
}
return 1;
}
/* V = (V + Hash(inbyte || V || [additional_input]) mod (2^seedlen) */
static int add_hash_to_v(RAND_DRBG *drbg, unsigned char inbyte,
const unsigned char *adin, size_t adinlen)
{
RAND_DRBG_HASH *hash = &drbg->data.hash;
EVP_MD_CTX *ctx = hash->ctx;
return EVP_DigestInit_ex(ctx, hash->md, NULL)
&& EVP_DigestUpdate(ctx, &inbyte, 1)
&& EVP_DigestUpdate(ctx, hash->V, drbg->seedlen)
&& (adin == NULL || EVP_DigestUpdate(ctx, adin, adinlen))
&& EVP_DigestFinal(ctx, hash->vtmp, NULL)
&& add_bytes(drbg, hash->V, hash->vtmp, hash->blocklen);
}
/*
* The Hashgen() as listed in SP800-90Ar1 10.1.1.4 Hash_DRBG_Generate_Process.
*
* drbg contains the current value of V.
* outlen is the requested number of bytes.
* out is a buffer to return the generated bits.
*
* The algorithm to generate the bits is:
* data = V
* w = NULL
* for (i = 1 to m) {
* W = W || Hash(data)
* data = (data + 1) mod (2^seedlen)
* }
* out = Leftmost(W, outlen)
*
* Returns zero if an error occurs otherwise it returns 1.
*/
static int hash_gen(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
{
RAND_DRBG_HASH *hash = &drbg->data.hash;
unsigned char one = 1;
if (outlen == 0)
return 1;
memcpy(hash->vtmp, hash->V, drbg->seedlen);
for(;;) {
if (!EVP_DigestInit_ex(hash->ctx, hash->md, NULL)
|| !EVP_DigestUpdate(hash->ctx, hash->vtmp, drbg->seedlen))
return 0;
if (outlen < hash->blocklen) {
if (!EVP_DigestFinal(hash->ctx, hash->vtmp, NULL))
return 0;
memcpy(out, hash->vtmp, outlen);
return 1;
} else {
if (!EVP_DigestFinal(hash->ctx, out, NULL))
return 0;
outlen -= hash->blocklen;
if (outlen == 0)
break;
out += hash->blocklen;
}
add_bytes(drbg, hash->vtmp, &one, 1);
}
return 1;
}
/*
* SP800-90Ar1 10.1.1.2 Hash_DRBG_Instantiate_Process:
*
* ent is entropy input obtained from a randomness source of length ent_len.
* nonce is a string of bytes of length nonce_len.
* pstr is a personalization string received from an application. May be NULL.
*
* Returns zero if an error occurs otherwise it returns 1.
*/
static int drbg_hash_instantiate(RAND_DRBG *drbg,
const unsigned char *ent, size_t ent_len,
const unsigned char *nonce, size_t nonce_len,
const unsigned char *pstr, size_t pstr_len)
{
RAND_DRBG_HASH *hash = &drbg->data.hash;
/* (Step 1-3) V = Hash_df(entropy||nonce||pers, seedlen) */
return hash_df(drbg, hash->V, INBYTE_IGNORE,
ent, ent_len, nonce, nonce_len, pstr, pstr_len)
/* (Step 4) C = Hash_df(0x00||V, seedlen) */
&& hash_df1(drbg, hash->C, 0x00, hash->V, drbg->seedlen);
}
/*
* SP800-90Ar1 10.1.1.3 Hash_DRBG_Reseed_Process:
*
* ent is entropy input bytes obtained from a randomness source.
* addin is additional input received from an application. May be NULL.
*
* Returns zero if an error occurs otherwise it returns 1.
*/
static int drbg_hash_reseed(RAND_DRBG *drbg,
const unsigned char *ent, size_t ent_len,
const unsigned char *adin, size_t adin_len)
{
RAND_DRBG_HASH *hash = &drbg->data.hash;
/* (Step 1-2) V = Hash_df(0x01 || V || entropy_input || additional_input)*/
/* V about to be updated so use C as output instead */
if (!hash_df(drbg, hash->C, 0x01, hash->V, drbg->seedlen, ent, ent_len,
adin, adin_len))
return 0;
memcpy(hash->V, hash->C, drbg->seedlen);
/* (Step 4) C = Hash_df(0x00||V, seedlen) */
return hash_df1(drbg, hash->C, 0x00, hash->V, drbg->seedlen);
}
/*
* SP800-90Ar1 10.1.1.4 Hash_DRBG_Generate_Process:
*
* Generates pseudo random bytes using the drbg.
* out is a buffer to fill with outlen bytes of pseudo random data.
* addin is additional input received from an application. May be NULL.
*
* Returns zero if an error occurs otherwise it returns 1.
*/
static int drbg_hash_generate(RAND_DRBG *drbg,
unsigned char *out, size_t outlen,
const unsigned char *adin, size_t adin_len)
{
RAND_DRBG_HASH *hash = &drbg->data.hash;
unsigned char counter[4];
int reseed_counter = drbg->reseed_gen_counter;
counter[0] = (unsigned char)((reseed_counter >> 24) & 0xff);
counter[1] = (unsigned char)((reseed_counter >> 16) & 0xff);
counter[2] = (unsigned char)((reseed_counter >> 8) & 0xff);
counter[3] = (unsigned char)(reseed_counter & 0xff);
return (adin == NULL
/* (Step 2) if adin != NULL then V = V + Hash(0x02||V||adin) */
|| adin_len == 0
|| add_hash_to_v(drbg, 0x02, adin, adin_len))
/* (Step 3) Hashgen(outlen, V) */
&& hash_gen(drbg, out, outlen)
/* (Step 4/5) H = V = (V + Hash(0x03||V) mod (2^seedlen_bits) */
&& add_hash_to_v(drbg, 0x03, NULL, 0)
/* (Step 5) V = (V + H + C + reseed_counter) mod (2^seedlen_bits) */
/* V = (V + C) mod (2^seedlen_bits) */
&& add_bytes(drbg, hash->V, hash->C, drbg->seedlen)
/* V = (V + reseed_counter) mod (2^seedlen_bits) */
&& add_bytes(drbg, hash->V, counter, 4);
}
static int drbg_hash_uninstantiate(RAND_DRBG *drbg)
{
EVP_MD_CTX_free(drbg->data.hash.ctx);
OPENSSL_cleanse(&drbg->data.hash, sizeof(drbg->data.hash));
return 1;
}
static RAND_DRBG_METHOD drbg_hash_meth = {
drbg_hash_instantiate,
drbg_hash_reseed,
drbg_hash_generate,
drbg_hash_uninstantiate
};
int drbg_hash_init(RAND_DRBG *drbg)
{
const EVP_MD *md;
RAND_DRBG_HASH *hash = &drbg->data.hash;
/* Any approved digest is allowed */
md = EVP_get_digestbynid(drbg->type);
if (md == NULL)
return 0;
drbg->meth = &drbg_hash_meth;
hash->md = md;
if (hash->ctx == NULL) {
hash->ctx = EVP_MD_CTX_new();
if (hash->ctx == NULL)
return 0;
}
/* These are taken from SP 800-90 10.1 Table 2 */
hash->blocklen = EVP_MD_size(md);
/* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
drbg->strength = 64 * (hash->blocklen >> 3);
if (drbg->strength > 256)
drbg->strength = 256;
if (hash->blocklen > MAX_BLOCKLEN_USING_SMALL_SEEDLEN)
drbg->seedlen = HASH_PRNG_MAX_SEEDLEN;
else
drbg->seedlen = HASH_PRNG_SMALL_SEEDLEN;
drbg->min_entropylen = drbg->strength / 8;
drbg->max_entropylen = DRBG_MINMAX_FACTOR * drbg->min_entropylen;
drbg->min_noncelen = drbg->min_entropylen / 2;
drbg->max_noncelen = DRBG_MINMAX_FACTOR * drbg->min_noncelen;
drbg->max_perslen = DRBG_MAX_LENGTH;
drbg->max_adinlen = DRBG_MAX_LENGTH;
/* Maximum number of bits per request = 2^19 = 2^16 bytes */
drbg->max_request = 1 << 16;
return 1;
}

238
crypto/rand/drbg_hmac.c Normal file
View file

@ -0,0 +1,238 @@
/*
* Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdlib.h>
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include "internal/thread_once.h"
#include "rand_lcl.h"
/*
* Called twice by SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process.
*
* hmac is an object that holds the input/output Key and Value (K and V).
* inbyte is 0x00 on the first call and 0x01 on the second call.
* in1, in2, in3 are optional inputs that can be NULL.
* in1len, in2len, in3len are the lengths of the input buffers.
*
* The returned K,V is:
* hmac->K = HMAC(hmac->K, hmac->V || inbyte || [in1] || [in2] || [in3])
* hmac->V = HMAC(hmac->K, hmac->V)
*
* Returns zero if an error occurs otherwise it returns 1.
*/
static int do_hmac(RAND_DRBG_HMAC *hmac, unsigned char inbyte,
const unsigned char *in1, size_t in1len,
const unsigned char *in2, size_t in2len,
const unsigned char *in3, size_t in3len)
{
HMAC_CTX *ctx = hmac->ctx;
return HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
/* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */
&& HMAC_Update(ctx, hmac->V, hmac->blocklen)
&& HMAC_Update(ctx, &inbyte, 1)
&& (in1 == NULL || in1len == 0 || HMAC_Update(ctx, in1, in1len))
&& (in2 == NULL || in2len == 0 || HMAC_Update(ctx, in2, in2len))
&& (in3 == NULL || in3len == 0 || HMAC_Update(ctx, in3, in3len))
&& HMAC_Final(ctx, hmac->K, NULL)
/* V = HMAC(K, V) */
&& HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
&& HMAC_Update(ctx, hmac->V, hmac->blocklen)
&& HMAC_Final(ctx, hmac->V, NULL);
}
/*
* SP800-90Ar1 10.1.2.2 HMAC_DRBG_Update_Process
*
*
* Updates the drbg objects Key(K) and Value(V) using the following algorithm:
* K,V = do_hmac(hmac, 0, in1, in2, in3)
* if (any input is not NULL)
* K,V = do_hmac(hmac, 1, in1, in2, in3)
*
* where in1, in2, in3 are optional input buffers that can be NULL.
* in1len, in2len, in3len are the lengths of the input buffers.
*
* Returns zero if an error occurs otherwise it returns 1.
*/
static int drbg_hmac_update(RAND_DRBG *drbg,
const unsigned char *in1, size_t in1len,
const unsigned char *in2, size_t in2len,
const unsigned char *in3, size_t in3len)
{
RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
/* (Steps 1-2) K = HMAC(K, V||0x00||provided_data). V = HMAC(K,V) */
if (!do_hmac(hmac, 0x00, in1, in1len, in2, in2len, in3, in3len))
return 0;
/* (Step 3) If provided_data == NULL then return (K,V) */
if (in1len == 0 && in2len == 0 && in3len == 0)
return 1;
/* (Steps 4-5) K = HMAC(K, V||0x01||provided_data). V = HMAC(K,V) */
return do_hmac(hmac, 0x01, in1, in1len, in2, in2len, in3, in3len);
}
/*
* SP800-90Ar1 10.1.2.3 HMAC_DRBG_Instantiate_Process:
*
* This sets the drbg Key (K) to all zeros, and Value (V) to all 1's.
* and then calls (K,V) = drbg_hmac_update() with input parameters:
* ent = entropy data (Can be NULL) of length ent_len.
* nonce = nonce data (Can be NULL) of length nonce_len.
* pstr = personalization data (Can be NULL) of length pstr_len.
*
* Returns zero if an error occurs otherwise it returns 1.
*/
static int drbg_hmac_instantiate(RAND_DRBG *drbg,
const unsigned char *ent, size_t ent_len,
const unsigned char *nonce, size_t nonce_len,
const unsigned char *pstr, size_t pstr_len)
{
RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
/* (Step 2) Key = 0x00 00...00 */
memset(hmac->K, 0x00, hmac->blocklen);
/* (Step 3) V = 0x01 01...01 */
memset(hmac->V, 0x01, hmac->blocklen);
/* (Step 4) (K,V) = HMAC_DRBG_Update(entropy||nonce||pers string, K, V) */
return drbg_hmac_update(drbg, ent, ent_len, nonce, nonce_len, pstr,
pstr_len);
}
/*
* SP800-90Ar1 10.1.2.4 HMAC_DRBG_Reseed_Process:
*
* Reseeds the drbg's Key (K) and Value (V) by calling
* (K,V) = drbg_hmac_update() with the following input parameters:
* ent = entropy input data (Can be NULL) of length ent_len.
* adin = additional input data (Can be NULL) of length adin_len.
*
* Returns zero if an error occurs otherwise it returns 1.
*/
static int drbg_hmac_reseed(RAND_DRBG *drbg,
const unsigned char *ent, size_t ent_len,
const unsigned char *adin, size_t adin_len)
{
/* (Step 2) (K,V) = HMAC_DRBG_Update(entropy||additional_input, K, V) */
return drbg_hmac_update(drbg, ent, ent_len, adin, adin_len, NULL, 0);
}
/*
* SP800-90Ar1 10.1.2.5 HMAC_DRBG_Generate_Process:
*
* Generates pseudo random bytes and updates the internal K,V for the drbg.
* out is a buffer to fill with outlen bytes of pseudo random data.
* adin is an additional_input string of size adin_len that may be NULL.
*
* Returns zero if an error occurs otherwise it returns 1.
*/
static int drbg_hmac_generate(RAND_DRBG *drbg,
unsigned char *out, size_t outlen,
const unsigned char *adin, size_t adin_len)
{
RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
HMAC_CTX *ctx = hmac->ctx;
const unsigned char *temp = hmac->V;
/* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */
if (adin != NULL
&& adin_len > 0
&& !drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
return 0;
/*
* (Steps 3-5) temp = NULL
* while (len(temp) < outlen) {
* V = HMAC(K, V)
* temp = temp || V
* }
*/
for (;;) {
if (!HMAC_Init_ex(ctx, hmac->K, hmac->blocklen, hmac->md, NULL)
|| !HMAC_Update(ctx, temp, hmac->blocklen))
return 0;
if (outlen > hmac->blocklen) {
if (!HMAC_Final(ctx, out, NULL))
return 0;
temp = out;
} else {
if (!HMAC_Final(ctx, hmac->V, NULL))
return 0;
memcpy(out, hmac->V, outlen);
break;
}
out += hmac->blocklen;
outlen -= hmac->blocklen;
}
/* (Step 6) (K,V) = HMAC_DRBG_Update(adin, K, V) */
if (!drbg_hmac_update(drbg, adin, adin_len, NULL, 0, NULL, 0))
return 0;
return 1;
}
static int drbg_hmac_uninstantiate(RAND_DRBG *drbg)
{
HMAC_CTX_free(drbg->data.hmac.ctx);
OPENSSL_cleanse(&drbg->data.hmac, sizeof(drbg->data.hmac));
return 1;
}
static RAND_DRBG_METHOD drbg_hmac_meth = {
drbg_hmac_instantiate,
drbg_hmac_reseed,
drbg_hmac_generate,
drbg_hmac_uninstantiate
};
int drbg_hmac_init(RAND_DRBG *drbg)
{
const EVP_MD *md = NULL;
RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
/* Any approved digest is allowed - assume we pass digest (not NID_hmac*) */
md = EVP_get_digestbynid(drbg->type);
if (md == NULL)
return 0;
drbg->meth = &drbg_hmac_meth;
if (hmac->ctx == NULL) {
hmac->ctx = HMAC_CTX_new();
if (hmac->ctx == NULL)
return 0;
}
/* These are taken from SP 800-90 10.1 Table 2 */
hmac->md = md;
hmac->blocklen = EVP_MD_size(md);
/* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
drbg->strength = 64 * (int)(hmac->blocklen >> 3);
if (drbg->strength > 256)
drbg->strength = 256;
drbg->seedlen = hmac->blocklen;
drbg->min_entropylen = drbg->strength / 8;
drbg->max_entropylen = DRBG_MINMAX_FACTOR * drbg->min_entropylen;
drbg->min_noncelen = drbg->min_entropylen / 2;
drbg->max_noncelen = DRBG_MINMAX_FACTOR * drbg->min_noncelen;
drbg->max_perslen = DRBG_MAX_LENGTH;
drbg->max_adinlen = DRBG_MAX_LENGTH;
/* Maximum number of bits per request = 2^19 = 2^16 bytes*/
drbg->max_request = 1 << 16;
return 1;
}

168
crypto/rand/drbg_lib.c
View file

@ -72,9 +72,24 @@ static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";
static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
#define RAND_DRBG_TYPE_FLAGS ( \
RAND_DRBG_FLAG_MASTER | RAND_DRBG_FLAG_PUBLIC | RAND_DRBG_FLAG_PRIVATE )
static int rand_drbg_type = RAND_DRBG_TYPE;
static unsigned int rand_drbg_flags = RAND_DRBG_FLAGS;
#define RAND_DRBG_TYPE_MASTER 0
#define RAND_DRBG_TYPE_PUBLIC 1
#define RAND_DRBG_TYPE_PRIVATE 2
/* Defaults */
static int rand_drbg_type[3] = {
RAND_DRBG_TYPE, /* Master */
RAND_DRBG_TYPE, /* Public */
RAND_DRBG_TYPE /* Private */
};
static unsigned int rand_drbg_flags[3] = {
RAND_DRBG_FLAGS | RAND_DRBG_FLAG_MASTER, /* Master */
RAND_DRBG_FLAGS | RAND_DRBG_FLAG_PUBLIC, /* Public */
RAND_DRBG_FLAGS | RAND_DRBG_FLAG_PRIVATE /* Private */
};
static unsigned int master_reseed_interval = MASTER_RESEED_INTERVAL;
static unsigned int slave_reseed_interval = SLAVE_RESEED_INTERVAL;
@ -84,15 +99,48 @@ static time_t slave_reseed_time_interval = SLAVE_RESEED_TIME_INTERVAL;
/* A logical OR of all used DRBG flag bits (currently there is only one) */
static const unsigned int rand_drbg_used_flags =
RAND_DRBG_FLAG_CTR_NO_DF;
RAND_DRBG_FLAG_CTR_NO_DF | RAND_DRBG_FLAG_HMAC | RAND_DRBG_TYPE_FLAGS;
static RAND_DRBG *drbg_setup(RAND_DRBG *parent);
static RAND_DRBG *drbg_setup(RAND_DRBG *parent, int drbg_type);
static RAND_DRBG *rand_drbg_new(int secure,
int type,
unsigned int flags,
RAND_DRBG *parent);
static int is_ctr(int type)
{
switch (type) {
case NID_aes_128_ctr:
case NID_aes_192_ctr:
case NID_aes_256_ctr:
return 1;
default:
return 0;
}
}
static int is_digest(int type)
{
switch (type) {
case NID_sha1:
case NID_sha224:
case NID_sha256:
case NID_sha384:
case NID_sha512:
case NID_sha512_224:
case NID_sha512_256:
case NID_sha3_224:
case NID_sha3_256:
case NID_sha3_384:
case NID_sha3_512:
return 1;
default:
return 0;
}
}
/*
* Set/initialize |drbg| to be of type |type|, with optional |flags|.
*
@ -105,26 +153,32 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
int ret = 1;
if (type == 0 && flags == 0) {
type = rand_drbg_type;
flags = rand_drbg_flags;
type = rand_drbg_type[RAND_DRBG_TYPE_MASTER];
flags = rand_drbg_flags[RAND_DRBG_TYPE_MASTER];
}
/* If set is called multiple times - clear the old one */
if (type != drbg->type && drbg->type != 0 && drbg->meth != NULL) {
drbg->meth->uninstantiate(drbg);
}
drbg->state = DRBG_UNINITIALISED;
drbg->flags = flags;
drbg->type = type;
switch (type) {
default:
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
return 0;
case 0:
if (type == 0) {
/* Uninitialized; that's okay. */
return 1;
case NID_aes_128_ctr:
case NID_aes_192_ctr:
case NID_aes_256_ctr:
} else if (is_ctr(type)) {
ret = drbg_ctr_init(drbg);
break;
} else if (is_digest(type)) {
if (flags & RAND_DRBG_FLAG_HMAC)
ret = drbg_hmac_init(drbg);
else
ret = drbg_hash_init(drbg);
} else {
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
return 0;
}
if (ret == 0)
@ -139,16 +193,10 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
*/
int RAND_DRBG_set_defaults(int type, unsigned int flags)
{
int ret = 1;
switch (type) {
default:
int all;
if (!(is_digest(type) || is_ctr(type))) {
RANDerr(RAND_F_RAND_DRBG_SET_DEFAULTS, RAND_R_UNSUPPORTED_DRBG_TYPE);
return 0;
case NID_aes_128_ctr:
case NID_aes_192_ctr:
case NID_aes_256_ctr:
break;
}
if ((flags & ~rand_drbg_used_flags) != 0) {
@ -156,10 +204,20 @@ int RAND_DRBG_set_defaults(int type, unsigned int flags)
return 0;
}
rand_drbg_type = type;
rand_drbg_flags = flags;
return ret;
all = ((flags & RAND_DRBG_TYPE_FLAGS) == 0);
if (all || (flags & RAND_DRBG_FLAG_MASTER) != 0) {
rand_drbg_type[RAND_DRBG_TYPE_MASTER] = type;
rand_drbg_flags[RAND_DRBG_TYPE_MASTER] = flags | RAND_DRBG_FLAG_MASTER;
}
if (all || (flags & RAND_DRBG_FLAG_PUBLIC) != 0) {
rand_drbg_type[RAND_DRBG_TYPE_PUBLIC] = type;
rand_drbg_flags[RAND_DRBG_TYPE_PUBLIC] = flags | RAND_DRBG_FLAG_PUBLIC;
}
if (all || (flags & RAND_DRBG_FLAG_PRIVATE) != 0) {
rand_drbg_type[RAND_DRBG_TYPE_PRIVATE] = type;
rand_drbg_flags[RAND_DRBG_TYPE_PRIVATE] = flags | RAND_DRBG_FLAG_PRIVATE;
}
return 1;
}
@ -341,13 +399,13 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
}
drbg->state = DRBG_READY;
drbg->generate_counter = 0;
drbg->reseed_gen_counter = 1;
drbg->reseed_time = time(NULL);
if (drbg->reseed_counter > 0) {
if (drbg->reseed_prop_counter > 0) {
if (drbg->parent == NULL)
drbg->reseed_counter++;
drbg->reseed_prop_counter++;
else
drbg->reseed_counter = drbg->parent->reseed_counter;
drbg->reseed_prop_counter = drbg->parent->reseed_prop_counter;
}
end:
@ -378,6 +436,7 @@ end:
*/
int RAND_DRBG_uninstantiate(RAND_DRBG *drbg)
{
int index = -1, type, flags;
if (drbg->meth == NULL) {
RANDerr(RAND_F_RAND_DRBG_UNINSTANTIATE,
RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
@ -389,7 +448,23 @@ int RAND_DRBG_uninstantiate(RAND_DRBG *drbg)
* initial values.
*/
drbg->meth->uninstantiate(drbg);
return RAND_DRBG_set(drbg, drbg->type, drbg->flags);
/* The reset uses the default values for type and flags */
if (drbg->flags & RAND_DRBG_FLAG_MASTER)
index = RAND_DRBG_TYPE_MASTER;
else if (drbg->flags & RAND_DRBG_FLAG_PRIVATE)
index = RAND_DRBG_TYPE_PRIVATE;
else if (drbg->flags & RAND_DRBG_FLAG_PUBLIC)
index = RAND_DRBG_TYPE_PUBLIC;
if (index != -1) {
flags = rand_drbg_flags[index];
type = rand_drbg_type[index];
} else {
flags = drbg->flags;
type = drbg->type;
}
return RAND_DRBG_set(drbg, type, flags);
}
/*
@ -438,13 +513,13 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
goto end;
drbg->state = DRBG_READY;
drbg->generate_counter = 0;
drbg->reseed_gen_counter = 1;
drbg->reseed_time = time(NULL);
if (drbg->reseed_counter > 0) {
if (drbg->reseed_prop_counter > 0) {
if (drbg->parent == NULL)
drbg->reseed_counter++;
drbg->reseed_prop_counter++;
else
drbg->reseed_counter = drbg->parent->reseed_counter;
drbg->reseed_prop_counter = drbg->parent->reseed_prop_counter;
}
end:
@ -604,7 +679,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
}
if (drbg->reseed_interval > 0) {
if (drbg->generate_counter >= drbg->reseed_interval)
if (drbg->reseed_gen_counter > drbg->reseed_interval)
reseed_required = 1;
}
if (drbg->reseed_time_interval > 0) {
@ -613,8 +688,8 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
|| now - drbg->reseed_time >= drbg->reseed_time_interval)
reseed_required = 1;
}
if (drbg->reseed_counter > 0 && drbg->parent != NULL) {
if (drbg->reseed_counter != drbg->parent->reseed_counter)
if (drbg->reseed_prop_counter > 0 && drbg->parent != NULL) {
if (drbg->reseed_prop_counter != drbg->parent->reseed_prop_counter)
reseed_required = 1;
}
@ -633,7 +708,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
return 0;
}
drbg->generate_counter++;
drbg->reseed_gen_counter++;
return 1;
}
@ -850,11 +925,12 @@ void *RAND_DRBG_get_ex_data(const RAND_DRBG *drbg, int idx)
*
* Returns a pointer to the new DRBG instance on success, NULL on failure.
*/
static RAND_DRBG *drbg_setup(RAND_DRBG *parent)
static RAND_DRBG *drbg_setup(RAND_DRBG *parent, int drbg_type)
{
RAND_DRBG *drbg;
drbg = RAND_DRBG_secure_new(rand_drbg_type, rand_drbg_flags, parent);
drbg = RAND_DRBG_secure_new(rand_drbg_type[drbg_type],
rand_drbg_flags[drbg_type], parent);
if (drbg == NULL)
return NULL;
@ -863,7 +939,7 @@ static RAND_DRBG *drbg_setup(RAND_DRBG *parent)
goto err;
/* enable seed propagation */
drbg->reseed_counter = 1;
drbg->reseed_prop_counter = 1;
/*
* Ignore instantiation error to support just-in-time instantiation.
@ -900,7 +976,7 @@ DEFINE_RUN_ONCE_STATIC(do_rand_drbg_init)
if (!CRYPTO_THREAD_init_local(&public_drbg, NULL))
goto err1;
master_drbg = drbg_setup(NULL);
master_drbg = drbg_setup(NULL, RAND_DRBG_TYPE_MASTER);
if (master_drbg == NULL)
goto err2;
@ -1032,7 +1108,7 @@ RAND_DRBG *RAND_DRBG_get0_public(void)
if (drbg == NULL) {
if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_RAND))
return NULL;
drbg = drbg_setup(master_drbg);
drbg = drbg_setup(master_drbg, RAND_DRBG_TYPE_PUBLIC);
CRYPTO_THREAD_set_local(&public_drbg, drbg);
}
return drbg;
@ -1053,7 +1129,7 @@ RAND_DRBG *RAND_DRBG_get0_private(void)
if (drbg == NULL) {
if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_RAND))
return NULL;
drbg = drbg_setup(master_drbg);
drbg = drbg_setup(master_drbg, RAND_DRBG_TYPE_PRIVATE);
CRYPTO_THREAD_set_local(&private_drbg, drbg);
}
return drbg;

49
crypto/rand/rand_lcl.h
View file

@ -54,7 +54,7 @@ typedef enum drbg_status_e {
} DRBG_STATUS;
/* intantiate */
/* instantiate */
typedef int (*RAND_DRBG_instantiate_fn)(RAND_DRBG *ctx,
const unsigned char *ent,
size_t entlen,
@ -68,7 +68,7 @@ typedef int (*RAND_DRBG_reseed_fn)(RAND_DRBG *ctx,
size_t entlen,
const unsigned char *adin,
size_t adinlen);
/* generat output */
/* generate output */
typedef int (*RAND_DRBG_generate_fn)(RAND_DRBG *ctx,
unsigned char *out,
size_t outlen,
@ -89,6 +89,26 @@ typedef struct rand_drbg_method_st {
RAND_DRBG_uninstantiate_fn uninstantiate;
} RAND_DRBG_METHOD;
/* 888 bits from SP800-90Ar1 10.1 table 2 */
#define HASH_PRNG_MAX_SEEDLEN (888/8)
typedef struct rand_drbg_hash_st {
const EVP_MD *md;
EVP_MD_CTX *ctx;
size_t blocklen;
unsigned char V[HASH_PRNG_MAX_SEEDLEN];
unsigned char C[HASH_PRNG_MAX_SEEDLEN];
/* Temporary value storage: should always exceed max digest length */
unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
} RAND_DRBG_HASH;
typedef struct rand_drbg_hmac_st {
const EVP_MD *md;
HMAC_CTX *ctx;
size_t blocklen;
unsigned char K[EVP_MAX_MD_SIZE];
unsigned char V[EVP_MAX_MD_SIZE];
} RAND_DRBG_HMAC;
/*
* The state of a DRBG AES-CTR.
@ -139,7 +159,7 @@ struct rand_drbg_st {
int type; /* the nid of the underlying algorithm */
/*
* Stores the value of the rand_fork_count global as of when we last
* reseeded. The DRG reseeds automatically whenever drbg->fork_count !=
* reseeded. The DRBG reseeds automatically whenever drbg->fork_count !=
* rand_fork_count. Used to provide fork-safety and reseed this DRBG in
* the child process.
*/
@ -159,7 +179,10 @@ struct rand_drbg_st {
/*
* The following parameters are setup by the per-type "init" function.
*
* Currently the only type is CTR_DRBG, its init function is drbg_ctr_init().
* The supported types and their init functions are:
* (1) CTR_DRBG: drbg_ctr_init().
* (2) HMAC_DRBG: drbg_hmac_init().
* (3) HASH_DRBG: drbg_hash_init().
*
* The parameters are closely related to the ones described in
* section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one
@ -179,8 +202,12 @@ struct rand_drbg_st {
size_t min_noncelen, max_noncelen;
size_t max_perslen, max_adinlen;
/* Counts the number of generate requests since the last reseed. */
unsigned int generate_counter;
/*
* Counts the number of generate requests since the last reseed
* (Starts at 1). This value is the reseed_counter as defined in
* NIST SP 800-90Ar1
*/
unsigned int reseed_gen_counter;
/*
* Maximum number of generate requests until a reseed is required.
* This value is ignored if it is zero.
@ -203,7 +230,7 @@ struct rand_drbg_st {
* is added by RAND_add() or RAND_seed() will have an immediate effect on
* the output of RAND_bytes() resp. RAND_priv_bytes().
*/
unsigned int reseed_counter;
unsigned int reseed_prop_counter;
size_t seedlen;
DRBG_STATUS state;
@ -211,9 +238,11 @@ struct rand_drbg_st {
/* Application data, mainly used in the KATs. */
CRYPTO_EX_DATA ex_data;
/* Implementation specific data (currently only one implementation) */
/* Implementation specific data */
union {
RAND_DRBG_CTR ctr;
RAND_DRBG_HASH hash;
RAND_DRBG_HMAC hmac;
} data;
/* Implementation specific methods */
@ -252,7 +281,9 @@ int rand_drbg_unlock(RAND_DRBG *drbg);
int rand_drbg_enable_locking(RAND_DRBG *drbg);
/* initializes the AES-CTR DRBG implementation */
/* initializes the DRBG implementation */
int drbg_ctr_init(RAND_DRBG *drbg);
int drbg_hash_init(RAND_DRBG *drbg);
int drbg_hmac_init(RAND_DRBG *drbg);
#endif

2
crypto/rand/rand_unix.c
View file

@ -577,7 +577,7 @@ int rand_pool_add_nonce_data(RAND_POOL *pool)
/*
* Add process id, thread id, and a high resolution timestamp to
* ensure that the nonce is unique whith high probability for
* ensure that the nonce is unique with high probability for
* different process instances.
*/
data.pid = getpid();

40
doc/man3/RAND_DRBG_new.pod
View file

@ -49,15 +49,45 @@ RAND_DRBG_set() initializes the B<drbg> with the given B<type> and B<flags>.
RAND_DRBG_set_defaults() sets the default B<type> and B<flags> for new DRBG
instances.
Currently, all DRBG types are based on AES-CTR, so B<type> can be one of the
following values: NID_aes_128_ctr, NID_aes_192_ctr, NID_aes_256_ctr.
The DRBG types are AES-CTR, HMAC and HASH so B<type> can be one of the
following values:
NID_aes_128_ctr, NID_aes_192_ctr, NID_aes_256_ctr, NID_sha1, NID_sha224,
NID_sha256, NID_sha384, NID_sha512, NID_sha512_224, NID_sha512_256,
NID_sha3_224, NID_sha3_256, NID_sha3_384 or NID_sha3_512.
If this method is not called then the default type is given by RAND_DRBG_TYPE.
Before the DRBG can be used to generate random bits, it is necessary to set
its type and to instantiate it.
The optional B<flags> argument specifies a set of bit flags which can be
joined using the | operator. Currently, the only flag is
RAND_DRBG_FLAG_CTR_NO_DF, which disables the use of a the derivation function
ctr_df. For an explanation, see [NIST SP 800-90A Rev. 1].
joined using the | operator. The supported flags are:
=over 4
=item RAND_DRBG_FLAG_CTR_NO_DF
Disables the use of the derivation function ctr_df. For an explanation,
see [NIST SP 800-90A Rev. 1].
=item RAND_DRBG_FLAG_HMAC
Enables use of HMAC instead of the HASH DRBG.
=item RAND_DRBG_FLAG_MASTER
=item RAND_DRBG_FLAG_PUBLIC
=item RAND_DRBG_FLAG_PRIVATE
These 3 flags can be used to set the individual DRBG types created. Multiple
calls are required to set the types to different values. If none of these 3
flags are used, then the same type and flags are used for all 3 DRBG's in the
B<drbg> chain (<master>, <public> and <private>). The default used if this
method is not called is to use RAND_DRBG_FLAGS.
=back
If a B<parent> instance is specified then this will be used instead of
the default entropy source for reseeding the B<drbg>. It is said that the

24
include/openssl/rand_drbg.h
View file

@ -22,7 +22,18 @@
/* In CTR mode, disable derivation function ctr_df */
# define RAND_DRBG_FLAG_CTR_NO_DF 0x1
/*
* This flag is only used when a digest NID is specified (i.e: not a CTR cipher)
* Selects DRBG_HMAC if this is set otherwise use DRBG_HASH.
*/
# define RAND_DRBG_FLAG_HMAC 0x2
/* Used by RAND_DRBG_set_defaults() to set the master DRBG type and flags. */
# define RAND_DRBG_FLAG_MASTER 0x4
/* Used by RAND_DRBG_set_defaults() to set the public DRBG type and flags. */
# define RAND_DRBG_FLAG_PUBLIC 0x8
/* Used by RAND_DRBG_set_defaults() to set the private DRBG type and flags. */
# define RAND_DRBG_FLAG_PRIVATE 0x10
# if OPENSSL_API_COMPAT < 0x10200000L
/* This #define was replaced by an internal constant and should not be used. */
@ -33,18 +44,23 @@
* Default security strength (in the sense of [NIST SP 800-90Ar1])
*
* NIST SP 800-90Ar1 supports the strength of the DRBG being smaller than that
* of the cipher by collecting less entropy. The current DRBG implemantion does
* not take RAND_DRBG_STRENGTH into account and sets the strength of the DRBG
* to that of the cipher.
* of the cipher by collecting less entropy. The current DRBG implementation
* does not take RAND_DRBG_STRENGTH into account and sets the strength of the
* DRBG to that of the cipher.
*
* RAND_DRBG_STRENGTH is currently only used for the legacy RAND
* implementation.
*
* Currently supported ciphers are: NID_aes_128_ctr, NID_aes_192_ctr and
* NID_aes_256_ctr
* NID_aes_256_ctr.
* The digest types for DRBG_hash or DRBG_hmac are: NID_sha1, NID_sha224,
* NID_sha256, NID_sha384, NID_sha512, NID_sha512_224, NID_sha512_256,
* NID_sha3_224, NID_sha3_256, NID_sha3_384 and NID_sha3_512.
*/
# define RAND_DRBG_STRENGTH 256
/* Default drbg type */
# define RAND_DRBG_TYPE NID_aes_256_ctr
/* Default drbg flags */
# define RAND_DRBG_FLAGS 0

4
test/build.info
View file

@ -343,7 +343,9 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=main
INCLUDE[drbgtest]=../include
DEPEND[drbgtest]=../libcrypto libtestutil.a
SOURCE[drbg_cavs_test]=drbg_cavs_test.c drbg_cavs_data.c
SOURCE[drbg_cavs_test]=drbg_cavs_test.c drbg_cavs_data_ctr.c \
drbg_cavs_data_hash.c drbg_cavs_data_hmac.c
INCLUDE[drbg_cavs_test]=../include . ..
DEPEND[drbg_cavs_test]=../libcrypto libtestutil.a

170320
test/drbg_cavs_data.c
View file

File diff suppressed because it is too large Load diff

20
test/drbg_cavs_data.h
View file

@ -22,10 +22,11 @@ enum drbg_kat_type {
PR_TRUE
};
enum drbg_df {
USE_DF,
NO_DF,
NA
enum drbg_flags {
NA = 0,
USE_DF = 1<<0,
NO_DF = 1<<1,
USE_HMAC = 1<<2
};
struct drbg_kat_no_reseed {
@ -64,7 +65,7 @@ struct drbg_kat_pr_true {
struct drbg_kat {
enum drbg_kat_type type;
enum drbg_df df;
enum drbg_flags flags;
int nid;
size_t entropyinlen;
@ -76,7 +77,12 @@ struct drbg_kat {
const void *t;
};
extern const struct drbg_kat *drbg_test[];
extern const size_t drbg_test_nelem;
extern const struct drbg_kat *drbg_ctr_test[];
extern const struct drbg_kat *drbg_hmac_test[];
extern const struct drbg_kat *drbg_hash_test[];
extern const size_t drbg_ctr_nelem;
extern const size_t drbg_hmac_nelem;
extern const size_t drbg_hash_nelem;
#endif

7769
test/drbg_cavs_data_ctr.c Normal file
View file

File diff suppressed because it is too large Load diff

8387
test/drbg_cavs_data_hash.c Normal file
View file

File diff suppressed because it is too large Load diff

285
test/drbg_cavs_data_hmac.c Normal file
View file

@ -0,0 +1,285 @@
/*
* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/*
* Small subset of DRBG test vectors from:
* https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/
* The index in the names given below (e.g- kat1680)- refers to the CAVS index.
*/
#include <openssl/obj_mac.h>
#include "internal/nelem.h"
#include "drbg_cavs_data.h"
static const unsigned char kat1_nor_entropyin[] = {
0xe9, 0x1b, 0x63, 0x30, 0x9e, 0x93, 0xd1, 0xd0, 0x8e, 0x30, 0xe8, 0xd5,
0x56, 0x90, 0x68, 0x75,
};
static const unsigned char kat1_nor_nonce[] = {
0xf5, 0x97, 0x47, 0xc4, 0x68, 0xb0, 0xd0, 0xda,
};
static const unsigned char kat1_nor_persstr[] = {0};
static const unsigned char kat1_nor_addin0[] = {0};
static const unsigned char kat1_nor_addin1[] = {0};
static const unsigned char kat1_nor_retbytes[] = {
0xb7, 0x92, 0x8f, 0x95, 0x03, 0xa4, 0x17, 0x11, 0x07, 0x88, 0xf9, 0xd0,
0xc2, 0x58, 0x5f, 0x8a, 0xee, 0x6f, 0xb7, 0x3b, 0x22, 0x0a, 0x62, 0x6b,
0x3a, 0xb9, 0x82, 0x5b, 0x7a, 0x9f, 0xac, 0xc7, 0x97, 0x23, 0xd7, 0xe1,
0xba, 0x92, 0x55, 0xe4, 0x0e, 0x65, 0xc2, 0x49, 0xb6, 0x08, 0x2a, 0x7b,
0xc5, 0xe3, 0xf1, 0x29, 0xd3, 0xd8, 0xf6, 0x9b, 0x04, 0xed, 0x11, 0x83,
0x41, 0x9d, 0x6c, 0x4f, 0x2a, 0x13, 0xb3, 0x04, 0xd2, 0xc5, 0x74, 0x3f,
0x41, 0xc8, 0xb0, 0xee, 0x73, 0x22, 0x53, 0x47,
};
static const struct drbg_kat_no_reseed kat1_nor_t = {
0, kat1_nor_entropyin, kat1_nor_nonce, kat1_nor_persstr,
kat1_nor_addin0, kat1_nor_addin1, kat1_nor_retbytes
};
static const struct drbg_kat kat1_nor = {
NO_RESEED, USE_HMAC, NID_sha1, 16, 8, 0, 0, 80, &kat1_nor_t
};
static const unsigned char kat1680_nor_entropyin[] = {
0x68, 0xcf, 0x3f, 0x51, 0x8b, 0x47, 0x45, 0x45, 0x2a, 0x41, 0x49, 0xd2,
0x00, 0x43, 0x49, 0x60, 0xcb, 0xe1, 0x0b, 0xcb, 0x78, 0x3c, 0x3f, 0x89,
0xd3, 0xb8, 0x5f, 0x61, 0x87, 0x99, 0xf5, 0xcb,
};
static const unsigned char kat1680_nor_nonce[] = {
0xdc, 0x34, 0x5f, 0x21, 0xa3, 0x3c, 0x16, 0x8e, 0x4e, 0x07, 0x60, 0x31,
0x87, 0x59, 0x2f, 0x9c,
};
static const unsigned char kat1680_nor_persstr[] = {
0x2c, 0x26, 0xce, 0x79, 0xee, 0x85, 0xd0, 0xc9, 0xca, 0x4d, 0x1a, 0xbc,
0x6e, 0x0a, 0xc2, 0xad, 0xb2, 0x6c, 0xd2, 0x23, 0xdc, 0xb5, 0x13, 0x40,
0x3a, 0x53, 0x75, 0x5b, 0x64, 0x75, 0x98, 0xe3,
};
static const unsigned char kat1680_nor_addin0[] = {
0xac, 0xcf, 0xf5, 0x36, 0x08, 0x61, 0x6d, 0x90, 0x07, 0x19, 0x9e, 0x41,
0x39, 0x68, 0x46, 0xbe, 0x58, 0x00, 0xee, 0xa5, 0x5f, 0x73, 0xf6, 0x4a,
0x6d, 0x8c, 0x8f, 0x26, 0xb5, 0xba, 0xe0, 0x7d,
};
static const unsigned char kat1680_nor_addin1[] = {
0xd8, 0xd5, 0x25, 0x8b, 0xaf, 0xf4, 0x18, 0x50, 0xde, 0x1f, 0xeb, 0x5e,
0xcb, 0xbd, 0x17, 0x95, 0xcd, 0xf4, 0x53, 0x8a, 0x1c, 0x57, 0xf5, 0x5c,
0x9f, 0x58, 0x5f, 0xf0, 0x35, 0xa1, 0x3e, 0x55,
};
static const unsigned char kat1680_nor_retbytes[] = {
0x50, 0x32, 0xda, 0xa0, 0x34, 0x15, 0xb2, 0xb6, 0x78, 0x0e, 0xf4, 0xc6,
0xcf, 0xec, 0xfa, 0xcc, 0xef, 0xda, 0x71, 0x2f, 0x25, 0x29, 0xd2, 0xcd,
0xf4, 0xcb, 0x45, 0xd5, 0x22, 0x29, 0xe2, 0xb7, 0x38, 0x8e, 0xbc, 0xe9,
0x26, 0xa7, 0xaa, 0x05, 0xcc, 0x13, 0x2b, 0x34, 0x79, 0xe7, 0xb9, 0xc0,
0xb8, 0xb4, 0xcd, 0x02, 0x62, 0xf7, 0xb1, 0x8a, 0x58, 0x32, 0x6e, 0xab,
0x2b, 0xae, 0xb9, 0x1e, 0xd4, 0x81, 0x8b, 0xf2, 0x0a, 0x10, 0x59, 0x75,
0x34, 0x2b, 0xed, 0x6a, 0x97, 0xf2, 0xe6, 0x7c, 0x48, 0x3a, 0x40, 0x3f,
0x98, 0xa4, 0xa5, 0xdf, 0xee, 0x98, 0x13, 0x07, 0x41, 0xb9, 0x09, 0xf0,
0xc4, 0x81, 0x2c, 0x19, 0x17, 0x33, 0x4d, 0xdc, 0x5e, 0x67, 0x82, 0x56,
0xb7, 0x8c, 0x23, 0x76, 0x42, 0x17, 0x79, 0x8f, 0x25, 0xdb, 0x20, 0xd8,
0x0e, 0xa8, 0x5b, 0x69, 0xef, 0xd7, 0x58, 0x92,
};
static const struct drbg_kat_no_reseed kat1680_nor_t = {
14, kat1680_nor_entropyin, kat1680_nor_nonce, kat1680_nor_persstr,
kat1680_nor_addin0, kat1680_nor_addin1, kat1680_nor_retbytes
};
static const struct drbg_kat kat1680_nor = {
NO_RESEED, USE_HMAC, NID_sha512_256, 32, 16, 32, 32, 128, &kat1680_nor_t
};
/* -------------------------------------------------------------------------- */
static const unsigned char kat2_prt_entropyin[] = {
0x07, 0xbd, 0xda, 0xb0, 0x6c, 0xf3, 0xd7, 0xf0, 0x94, 0xcc, 0x23, 0x02,
0xab, 0xd7, 0x00, 0xa9,
};
static const unsigned char kat2_prt_nonce[] = {
0xd6, 0x74, 0x21, 0xae, 0xb7, 0x11, 0xf4, 0xbb,
};
static const unsigned char kat2_prt_persstr[] = {0};
static const unsigned char kat2_prt_entropyinpr0[] = {
0xe6, 0x6f, 0x59, 0xe2, 0x8a, 0x46, 0x79, 0x42, 0x13, 0xbf, 0x3d, 0x0c,
0x3a, 0x2c, 0xbb, 0xb0,
};
static const unsigned char kat2_prt_entropyinpr1[] = {
0x92, 0x05, 0xb9, 0x0e, 0x0e, 0xf2, 0x12, 0xc7, 0x67, 0x9b, 0x37, 0x52,
0x6a, 0x80, 0x67, 0x89,
};
static const unsigned char kat2_prt_addin0[] = {0};
static const unsigned char kat2_prt_addin1[] = {0};
static const unsigned char kat2_prt_retbytes[] = {
0xf7, 0x6f, 0xd2, 0xa4, 0x9d, 0x95, 0x74, 0xc3, 0xf9, 0x08, 0x64, 0xf3,
0x5f, 0x32, 0x25, 0x3b, 0x83, 0x09, 0x8e, 0xe0, 0x4a, 0x4c, 0x8d, 0xba,
0x46, 0x4a, 0x80, 0x35, 0xf6, 0x65, 0xca, 0x16, 0x5c, 0x8a, 0x03, 0x8b,
0xe5, 0xe1, 0xb1, 0x00, 0xd5, 0x67, 0x52, 0xad, 0xcf, 0x59, 0xbe, 0xa1,
0x67, 0xe1, 0x5b, 0x1d, 0x01, 0xc4, 0x19, 0x94, 0x8d, 0x2d, 0x0a, 0x85,
0xbe, 0x66, 0xd1, 0x9b, 0xb4, 0x0e, 0x5e, 0x0a, 0x66, 0xcf, 0xd7, 0x6b,
0xa7, 0x54, 0x7e, 0xba, 0x62, 0x76, 0xea, 0x49,
};
static const struct drbg_kat_pr_true kat2_prt_t = {
1, kat2_prt_entropyin, kat2_prt_nonce, kat2_prt_persstr,
kat2_prt_entropyinpr0, kat2_prt_addin0, kat2_prt_entropyinpr1,
kat2_prt_addin1, kat2_prt_retbytes
};
static const struct drbg_kat kat2_prt = {
PR_TRUE, USE_HMAC, NID_sha1, 16, 8, 0, 0, 80, &kat2_prt_t
};
static const unsigned char kat1680_prt_entropyin[] = {
0xfa, 0x18, 0xc7, 0x94, 0x9c, 0xd5, 0xbc, 0xbe, 0x49, 0xc9, 0x6f, 0x4d,
0x66, 0x70, 0xc8, 0x4f, 0x55, 0xae, 0xe0, 0x0f, 0x36, 0xa4, 0x6c, 0xbf,
0xaf, 0xbe, 0x54, 0xe6, 0x6b, 0x32, 0x64, 0x23,
};
static const unsigned char kat1680_prt_nonce[] = {
0xc6, 0xfd, 0xec, 0x42, 0x46, 0xbd, 0xa3, 0xe2, 0xb6, 0x9f, 0xf6, 0x02,
0x67, 0x5f, 0x7e, 0x6d,
};
static const unsigned char kat1680_prt_persstr[] = {
0x9b, 0x31, 0xee, 0xbb, 0xe8, 0xbc, 0x02, 0x3c, 0xb8, 0x19, 0x3c, 0xe5,
0xe1, 0x5a, 0x62, 0x9d, 0x29, 0x20, 0xa0, 0xc4, 0x91, 0x69, 0xd2, 0x98,
0x92, 0x4b, 0xdb, 0xa2, 0xeb, 0x3b, 0xcd, 0x46,
};
static const unsigned char kat1680_prt_entropyinpr0[] = {
0xd7, 0x84, 0x2e, 0x7a, 0xd0, 0xcb, 0xac, 0x6b, 0x94, 0x04, 0xe8, 0xe9,
0x42, 0xfa, 0xbb, 0x77, 0x97, 0x4b, 0x35, 0x3a, 0x7f, 0x96, 0x33, 0x88,
0x06, 0x95, 0xfb, 0xff, 0xcb, 0x4d, 0x32, 0x79,
};
static const unsigned char kat1680_prt_entropyinpr1[] = {
0x96, 0xa3, 0x0d, 0x85, 0x93, 0xcc, 0xe5, 0xfe, 0xbd, 0x4f, 0x03, 0x4f,
0xf9, 0x74, 0x79, 0xeb, 0x88, 0x08, 0xe8, 0x1b, 0xd7, 0xb8, 0xf7, 0xb4,
0x4a, 0xe9, 0x45, 0xfb, 0xbf, 0x50, 0x35, 0x72,
};
static const unsigned char kat1680_prt_addin0[] = {
0x2e, 0x08, 0x83, 0xa8, 0x80, 0x21, 0xb7, 0xca, 0x2e, 0x8b, 0xe9, 0xb7,
0xb2, 0x08, 0xee, 0xc4, 0x10, 0x78, 0x64, 0x60, 0x5f, 0x71, 0x85, 0x10,
0x32, 0x3d, 0x89, 0xc8, 0x14, 0x6c, 0xa8, 0x93,
};
static const unsigned char kat1680_prt_addin1[] = {
0x01, 0x55, 0xdc, 0x73, 0xa3, 0x6c, 0x16, 0x0d, 0x9e, 0x13, 0xc0, 0x23,
0xe7, 0x32, 0x79, 0x8b, 0x4f, 0xba, 0x3a, 0x9f, 0xd8, 0x49, 0xc0, 0xed,
0xf8, 0x99, 0x76, 0x5c, 0x5f, 0xf7, 0x34, 0x9f,
};
static const unsigned char kat1680_prt_retbytes[] = {
0xee, 0x19, 0x1d, 0xc6, 0xbe, 0xf0, 0x25, 0xe3, 0x63, 0x02, 0xbb, 0x8c,
0xe0, 0xe6, 0xa9, 0x49, 0xf7, 0xb0, 0xd2, 0x94, 0x4b, 0x24, 0x6f, 0xc5,
0x2d, 0x68, 0xa2, 0x0c, 0x3b, 0x2b, 0x78, 0x75, 0x95, 0xca, 0x9d, 0x4b,
0xae, 0x2f, 0x55, 0xa1, 0x39, 0x24, 0xfa, 0xbb, 0xef, 0x8f, 0x70, 0x0a,
0xbc, 0x09, 0xd7, 0xda, 0xc1, 0xc1, 0xeb, 0x3a, 0x63, 0xc0, 0x40, 0x86,
0x75, 0x19, 0xe6, 0x72, 0x4f, 0xae, 0xb5, 0x32, 0xd0, 0x1c, 0xd3, 0x89,
0x22, 0xe4, 0xe0, 0x97, 0x35, 0x66, 0xfc, 0x23, 0xf5, 0xfb, 0xc0, 0x67,
0xf4, 0x96, 0xcb, 0x97, 0xfe, 0x3c, 0xe9, 0x75, 0x64, 0xf0, 0x01, 0x0d,
0x6c, 0xd2, 0xb5, 0xd8, 0x1a, 0x3e, 0x79, 0xfc, 0xb8, 0x5f, 0x01, 0x01,
0x91, 0xa7, 0x6b, 0x4d, 0x79, 0x6e, 0xa8, 0xc8, 0x5b, 0x11, 0x9d, 0xd2,
0x42, 0x10, 0xf6, 0x47, 0x25, 0xc0, 0x96, 0x89,
};
static const struct drbg_kat_pr_true kat1680_prt_t = {
14, kat1680_prt_entropyin, kat1680_prt_nonce, kat1680_prt_persstr,
kat1680_prt_entropyinpr0, kat1680_prt_addin0, kat1680_prt_entropyinpr1,
kat1680_prt_addin1, kat1680_prt_retbytes
};
static const struct drbg_kat kat1680_prt = {
PR_TRUE, USE_HMAC, NID_sha512_256, 32, 16, 32, 32, 128, &kat1680_prt_t
};
/* -------------------------------------------------------------------------- */
static const unsigned char kat7_prf_entropyin[] = {
0xb3, 0xd4, 0x04, 0x12, 0x01, 0xf4, 0x34, 0x5e, 0x0a, 0x81, 0x8d, 0xe1,
0x36, 0xc6, 0xaa, 0x7e,
};
static const unsigned char kat7_prf_nonce[] = {
0x6b, 0x06, 0x12, 0xe1, 0xac, 0x6b, 0x3f, 0x2f,
};
static const unsigned char kat7_prf_persstr[] = {0};
static const unsigned char kat7_prf_entropyin_reseed[] = {
0x26, 0xf6, 0xec, 0x32, 0x8a, 0xc7, 0xf8, 0x96, 0x6d, 0xca, 0x90, 0xe1,
0x62, 0xc2, 0x97, 0xef,
};
static const unsigned char kat7_prf_addin_reseed[] = {0};
static const unsigned char kat7_prf_addin0[] = {0};
static const unsigned char kat7_prf_addin1[] = {0};
static const unsigned char kat7_prf_retbytes[] = {
0xd9, 0x24, 0x5a, 0x4a, 0x0a, 0xb0, 0xca, 0x97, 0xe7, 0x47, 0xc0, 0xd2,
0x90, 0x98, 0x97, 0x9e, 0x82, 0x48, 0xe5, 0x3f, 0x0e, 0xc6, 0xb9, 0x16,
0x78, 0x97, 0x2f, 0x3b, 0x56, 0x91, 0xe7, 0x99, 0x5a, 0xd2, 0xeb, 0x99,
0x64, 0x0d, 0x3e, 0x9a, 0x83, 0x64, 0x89, 0x1d, 0x0f, 0xf1, 0x79, 0x73,
0x2d, 0x63, 0x3f, 0x76, 0x2d, 0x65, 0x92, 0xa4, 0xd4, 0x9c, 0x4e, 0x66,
0x7c, 0x69, 0x9b, 0x26, 0x78, 0x92, 0x9c, 0x81, 0xd9, 0xbd, 0xfc, 0x74,
0xd6, 0x57, 0x5f, 0x5b, 0x72, 0x7f, 0x4d, 0x65,
};
static const struct drbg_kat_pr_false kat7_prf_t = {
6, kat7_prf_entropyin, kat7_prf_nonce, kat7_prf_persstr,
kat7_prf_entropyin_reseed, kat7_prf_addin_reseed,
kat7_prf_addin0, kat7_prf_addin1, kat7_prf_retbytes
};
static const struct drbg_kat kat7_prf = {
PR_FALSE, USE_HMAC, NID_sha1, 16, 8, 0, 0, 80, &kat7_prf_t
};
static const unsigned char kat1680_prf_entropyin[] = {
0x03, 0x8f, 0x2d, 0x21, 0x48, 0x1d, 0xe9, 0xf2, 0x28, 0x61, 0x68, 0xc8,
0x0d, 0xb5, 0x59, 0xb0, 0x37, 0xa3, 0x6a, 0x05, 0x91, 0xe3, 0xc2, 0x46,
0xa5, 0xe3, 0xa5, 0x5d, 0x0e, 0x39, 0x2b, 0x35,
};
static const unsigned char kat1680_prf_nonce[] = {
0x86, 0x95, 0x63, 0x4d, 0xb6, 0xfc, 0x1c, 0x67, 0x29, 0x9f, 0xd5, 0x55,
0x3b, 0x19, 0xc5, 0x4d,
};
static const unsigned char kat1680_prf_persstr[] = {
0x01, 0x35, 0x28, 0x7e, 0xfe, 0x2f, 0x40, 0xa9, 0xcf, 0x2a, 0xdc, 0x97,
0xa5, 0x58, 0x20, 0xbb, 0xb9, 0xf9, 0x49, 0x8b, 0xc5, 0x12, 0x70, 0x7c,
0x5a, 0xc9, 0xc7, 0x21, 0x89, 0x37, 0x57, 0xbf,
};
static const unsigned char kat1680_prf_entropyin_reseed[] = {
0x7d, 0x20, 0xf5, 0xdd, 0x7e, 0xba, 0x0d, 0x2d, 0xd1, 0x88, 0x2f, 0xd2,
0xdd, 0x98, 0x72, 0x80, 0xf3, 0xd9, 0x50, 0x2a, 0x62, 0x4d, 0xff, 0x55,
0x26, 0x7d, 0x59, 0x6d, 0x4a, 0xb0, 0x21, 0xc9,
};
static const unsigned char kat1680_prf_addin_reseed[] = {
0x7e, 0x78, 0x8d, 0x4f, 0xba, 0xb8, 0x92, 0xa6, 0x67, 0xc1, 0x52, 0xf2,
0x90, 0x6c, 0x4b, 0xd7, 0xc4, 0xa6, 0x29, 0x5f, 0x11, 0x5b, 0xb6, 0xf6,
0x5d, 0x80, 0x88, 0xfd, 0xff, 0xc8, 0xb5, 0xe5,
};
static const unsigned char kat1680_prf_addin0[] = {
0xb7, 0x5e, 0x30, 0x58, 0x84, 0x81, 0x60, 0xfd, 0x30, 0xe7, 0xd0, 0x4a,
0x72, 0xba, 0x5b, 0x37, 0x6f, 0xad, 0xf2, 0x66, 0xdb, 0x66, 0x6a, 0x95,
0xed, 0xaa, 0xab, 0x56, 0x52, 0x51, 0x1e, 0xb9,
};
static const unsigned char kat1680_prf_addin1[] = {
0x69, 0x73, 0xe0, 0x5c, 0xea, 0xb5, 0x31, 0x0b, 0x91, 0x21, 0xe1, 0xde,
0x19, 0x94, 0x84, 0xdf, 0x58, 0xfc, 0x4b, 0x26, 0x42, 0x9d, 0xdf, 0x44,
0x65, 0xcd, 0xe7, 0xf7, 0xd6, 0xea, 0x35, 0x54,
};
static const unsigned char kat1680_prf_retbytes[] = {
0x13, 0x44, 0x5b, 0x39, 0xab, 0x89, 0x3b, 0x31, 0x9c, 0xb0, 0xc4, 0x22,
0x50, 0x8d, 0x3f, 0x4d, 0x03, 0x26, 0x40, 0x16, 0xf9, 0xf6, 0x91, 0xb9,
0x16, 0x97, 0xb6, 0x37, 0xc4, 0xea, 0x25, 0x1c, 0x71, 0xec, 0x4c, 0xa3,
0x55, 0x70, 0xd1, 0x07, 0x24, 0xa3, 0xf9, 0x19, 0xe0, 0x42, 0xdc, 0xe3,
0x5f, 0x50, 0xfc, 0x10, 0x86, 0x6f, 0x7c, 0x9d, 0xf8, 0x8a, 0xb3, 0x7e,
0xa3, 0xbc, 0x25, 0xd2, 0x86, 0xfa, 0xe1, 0x55, 0x7f, 0xd9, 0x30, 0xed,
0x74, 0x7c, 0xdf, 0x24, 0x6b, 0xc7, 0xa3, 0xb2, 0xd6, 0xc9, 0x5d, 0x1f,
0x77, 0x17, 0xbb, 0xe4, 0x22, 0xd7, 0x10, 0x35, 0x6a, 0xf8, 0xab, 0x7d,
0xf7, 0xcd, 0x72, 0x4d, 0x02, 0x2f, 0xe5, 0xf8, 0xf2, 0xd8, 0x4d, 0x6f,
0x2b, 0x27, 0x0d, 0x70, 0xb1, 0x6a, 0xf1, 0x4b, 0x3c, 0xcb, 0x4d, 0x52,
0xfd, 0x58, 0x7c, 0x59, 0x8f, 0x00, 0x95, 0x1e,
};
static const struct drbg_kat_pr_false kat1680_prf_t = {
14, kat1680_prf_entropyin, kat1680_prf_nonce, kat1680_prf_persstr,
kat1680_prf_entropyin_reseed, kat1680_prf_addin_reseed,
kat1680_prf_addin0, kat1680_prf_addin1, kat1680_prf_retbytes
};
static const struct drbg_kat kat1680_prf = {
PR_FALSE, USE_HMAC, NID_sha512_256, 32, 16, 32, 32, 128, &kat1680_prf_t
};
/* -------------------------------------------------------------------------- */
const struct drbg_kat *drbg_hmac_test[] = {
&kat1_nor, &kat1680_nor,
&kat2_prt, &kat1680_prt,
&kat7_prf, &kat1680_prf
};
const size_t drbg_hmac_nelem = OSSL_NELEM(drbg_hmac_test);

36
test/drbg_cavs_test.c
View file

@ -71,8 +71,10 @@ static int single_kat_no_reseed(const struct drbg_kat *td)
int failures = 0;
TEST_CTX t;
if (td->df != USE_DF)
if ((td->flags & USE_DF) == 0)
flags |= RAND_DRBG_FLAG_CTR_NO_DF;
if ((td->flags & USE_HMAC) != 0)
flags |= RAND_DRBG_FLAG_HMAC;
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, flags, NULL)))
return 0;
@ -133,8 +135,10 @@ static int single_kat_pr_false(const struct drbg_kat *td)
int failures = 0;
TEST_CTX t;
if (td->df != USE_DF)
if ((td->flags & USE_DF) == 0)
flags |= RAND_DRBG_FLAG_CTR_NO_DF;
if ((td->flags & USE_HMAC) != 0)
flags |= RAND_DRBG_FLAG_HMAC;
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, flags, NULL)))
return 0;
@ -200,8 +204,10 @@ static int single_kat_pr_true(const struct drbg_kat *td)
int failures = 0;
TEST_CTX t;
if (td->df != USE_DF)
if ((td->flags & USE_DF) == 0)
flags |= RAND_DRBG_FLAG_CTR_NO_DF;
if ((td->flags & USE_HMAC) != 0)
flags |= RAND_DRBG_FLAG_HMAC;
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, flags, NULL)))
return 0;
@ -252,9 +258,9 @@ err:
return failures == 0;
}
static int test_cavs_kats(int i)
static int test_cavs_kats(const struct drbg_kat *test[], int i)
{
const struct drbg_kat *td = drbg_test[i];
const struct drbg_kat *td = test[i];
int rv = 0;
switch (td->type) {
@ -278,10 +284,28 @@ err:
return rv;
}
static int test_cavs_ctr(int i)
{
return test_cavs_kats(drbg_ctr_test, i);
}
static int test_cavs_hmac(int i)
{
return test_cavs_kats(drbg_hmac_test, i);
}
static int test_cavs_hash(int i)
{
return test_cavs_kats(drbg_hash_test, i);
}
int setup_tests(void)
{
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
ADD_ALL_TESTS(test_cavs_kats, drbg_test_nelem);
ADD_ALL_TESTS(test_cavs_ctr, drbg_ctr_nelem);
ADD_ALL_TESTS(test_cavs_hmac, drbg_hmac_nelem);
ADD_ALL_TESTS(test_cavs_hash, drbg_hash_nelem);
return 1;
}

164
test/drbgtest.c
View file

@ -99,6 +99,10 @@ typedef struct drbg_selftest_data_st {
#define make_drbg_test_data_no_df(nid, pr, p) \
make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_NO_DF, pr, p)
#define make_drbg_test_data_hash(nid, pr, p) \
make_drbg_test_data(nid, RAND_DRBG_FLAG_HMAC, hmac_##pr, p), \
make_drbg_test_data(nid, 0, pr, p)
static DRBG_SELFTEST_DATA drbg_test[] = {
make_drbg_test_data_no_df (NID_aes_128_ctr, aes_128_no_df, 0),
make_drbg_test_data_no_df (NID_aes_192_ctr, aes_192_no_df, 0),
@ -106,6 +110,11 @@ static DRBG_SELFTEST_DATA drbg_test[] = {
make_drbg_test_data_use_df(NID_aes_128_ctr, aes_128_use_df, 0),
make_drbg_test_data_use_df(NID_aes_192_ctr, aes_192_use_df, 0),
make_drbg_test_data_use_df(NID_aes_256_ctr, aes_256_use_df, 1),
make_drbg_test_data_hash(NID_sha1, sha1, 0),
make_drbg_test_data_hash(NID_sha224, sha224, 0),
make_drbg_test_data_hash(NID_sha256, sha256, 1),
make_drbg_test_data_hash(NID_sha384, sha384, 0),
make_drbg_test_data_hash(NID_sha512, sha512, 0),
};
static int app_data_index;
@ -283,10 +292,10 @@ static int error_check(DRBG_SELFTEST_DATA *td)
RAND_DRBG *drbg = NULL;
TEST_CTX t;
unsigned char buff[1024];
unsigned int generate_counter_tmp;
unsigned int reseed_counter_tmp;
int ret = 0;
if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
goto err;
/*
@ -302,7 +311,7 @@ static int error_check(DRBG_SELFTEST_DATA *td)
* Entropy source tests
*/
/* Test entropy source failure detecion: i.e. returns no data */
/* Test entropy source failure detection: i.e. returns no data */
t.entropylen = 0;
if (TEST_int_le(RAND_DRBG_instantiate(drbg, td->pers, td->perslen), 0))
goto err;
@ -378,15 +387,15 @@ static int error_check(DRBG_SELFTEST_DATA *td)
/* Instantiate again with valid data */
if (!instantiate(drbg, td, &t))
goto err;
generate_counter_tmp = drbg->generate_counter;
drbg->generate_counter = drbg->reseed_interval;
reseed_counter_tmp = drbg->reseed_gen_counter;
drbg->reseed_gen_counter = drbg->reseed_interval;
/* Generate output and check entropy has been requested for reseed */
t.entropycnt = 0;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_int_eq(t.entropycnt, 1)
|| !TEST_int_eq(drbg->generate_counter, generate_counter_tmp + 1)
|| !TEST_int_eq(drbg->reseed_gen_counter, reseed_counter_tmp + 1)
|| !uninstantiate(drbg))
goto err;
@ -403,15 +412,15 @@ static int error_check(DRBG_SELFTEST_DATA *td)
/* Test reseed counter works */
if (!instantiate(drbg, td, &t))
goto err;
generate_counter_tmp = drbg->generate_counter;
drbg->generate_counter = drbg->reseed_interval;
reseed_counter_tmp = drbg->reseed_gen_counter;
drbg->reseed_gen_counter = drbg->reseed_interval;
/* Generate output and check entropy has been requested for reseed */
t.entropycnt = 0;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_int_eq(t.entropycnt, 1)
|| !TEST_int_eq(drbg->generate_counter, generate_counter_tmp + 1)
|| !TEST_int_eq(drbg->reseed_gen_counter, reseed_counter_tmp + 1)
|| !uninstantiate(drbg))
goto err;
@ -591,14 +600,14 @@ static int test_drbg_reseed(int expect_success,
*/
/* Test whether seed propagation is enabled */
if (!TEST_int_ne(master->reseed_counter, 0)
|| !TEST_int_ne(public->reseed_counter, 0)
|| !TEST_int_ne(private->reseed_counter, 0))
if (!TEST_int_ne(master->reseed_prop_counter, 0)
|| !TEST_int_ne(public->reseed_prop_counter, 0)
|| !TEST_int_ne(private->reseed_prop_counter, 0))
return 0;
/* Check whether the master DRBG's reseed counter is the largest one */
if (!TEST_int_le(public->reseed_counter, master->reseed_counter)
|| !TEST_int_le(private->reseed_counter, master->reseed_counter))
if (!TEST_int_le(public->reseed_prop_counter, master->reseed_prop_counter)
|| !TEST_int_le(private->reseed_prop_counter, master->reseed_prop_counter))
return 0;
/*
@ -643,8 +652,8 @@ static int test_drbg_reseed(int expect_success,
if (expect_success == 1) {
/* Test whether all three reseed counters are synchronized */
if (!TEST_int_eq(public->reseed_counter, master->reseed_counter)
|| !TEST_int_eq(private->reseed_counter, master->reseed_counter))
if (!TEST_int_eq(public->reseed_prop_counter, master->reseed_prop_counter)
|| !TEST_int_eq(private->reseed_prop_counter, master->reseed_prop_counter))
return 0;
/* Test whether reseed time of master DRBG is set correctly */
@ -723,7 +732,7 @@ static int test_rand_reseed(void)
* Test whether the public and private DRBG are both reseeded when their
* reseed counters differ from the master's reseed counter.
*/
master->reseed_counter++;
master->reseed_prop_counter++;
if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 1)))
goto error;
reset_drbg_hook_ctx();
@ -732,8 +741,8 @@ static int test_rand_reseed(void)
* Test whether the public DRBG is reseeded when its reseed counter differs
* from the master's reseed counter.
*/
master->reseed_counter++;
private->reseed_counter++;
master->reseed_prop_counter++;
private->reseed_prop_counter++;
if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 0)))
goto error;
reset_drbg_hook_ctx();
@ -742,8 +751,8 @@ static int test_rand_reseed(void)
* Test whether the private DRBG is reseeded when its reseed counter differs
* from the master's reseed counter.
*/
master->reseed_counter++;
public->reseed_counter++;
master->reseed_prop_counter++;
public->reseed_prop_counter++;
if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 0, 1)))
goto error;
reset_drbg_hook_ctx();
@ -765,7 +774,7 @@ static int test_rand_reseed(void)
* Test whether none of the DRBGs is reseed if the master fails to reseed
*/
master_ctx.fail = 1;
master->reseed_counter++;
master->reseed_prop_counter++;
RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
if (!TEST_true(test_drbg_reseed(0, master, public, private, 0, 0, 0)))
goto error;
@ -921,7 +930,7 @@ static int test_rand_add(void)
master->get_entropy = get_pool_entropy;
master->cleanup_entropy = cleanup_pool_entropy;
master->reseed_counter++;
master->reseed_prop_counter++;
RAND_DRBG_uninstantiate(master);
memset(rand_add_buf, 0xCD, sizeof(rand_add_buf));
RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
@ -936,6 +945,113 @@ error:
return rv;
}
static int test_multi_set(void)
{
int rv = 0;
RAND_DRBG *drbg = NULL;
/* init drbg with default CTR initializer */
if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
goto err;
/* change it to use hmac */
if (!TEST_true(RAND_DRBG_set(drbg, NID_sha1, RAND_DRBG_FLAG_HMAC)))
goto err;
/* use same type */
if (!TEST_true(RAND_DRBG_set(drbg, NID_sha1, RAND_DRBG_FLAG_HMAC)))
goto err;
/* change it to use hash */
if (!TEST_true(RAND_DRBG_set(drbg, NID_sha256, 0)))
goto err;
/* use same type */
if (!TEST_true(RAND_DRBG_set(drbg, NID_sha256, 0)))
goto err;
/* change it to use ctr */
if (!TEST_true(RAND_DRBG_set(drbg, NID_aes_192_ctr, 0)))
goto err;
/* use same type */
if (!TEST_true(RAND_DRBG_set(drbg, NID_aes_192_ctr, 0)))
goto err;
if (!TEST_int_gt(RAND_DRBG_instantiate(drbg, NULL, 0), 0))
goto err;
rv = 1;
err:
uninstantiate(drbg);
RAND_DRBG_free(drbg);
return rv;
}
static int test_set_defaults(void)
{
RAND_DRBG *master, *public, *private;
master = RAND_DRBG_get0_master();
public = RAND_DRBG_get0_public();
private = RAND_DRBG_get0_private();
/* Check the default type and flags for master, public and private */
return TEST_int_eq(master->type, RAND_DRBG_TYPE)
&& TEST_int_eq(master->flags,
RAND_DRBG_FLAGS | RAND_DRBG_FLAG_MASTER)
&& TEST_int_eq(public->type, RAND_DRBG_TYPE)
&& TEST_int_eq(public->flags,
RAND_DRBG_FLAGS | RAND_DRBG_FLAG_PUBLIC)
&& TEST_int_eq(private->type, RAND_DRBG_TYPE)
&& TEST_int_eq(private->flags,
RAND_DRBG_FLAGS | RAND_DRBG_FLAG_PRIVATE)
/* change master DRBG and check again */
&& TEST_true(RAND_DRBG_set_defaults(NID_sha256,
RAND_DRBG_FLAG_MASTER))
&& TEST_true(RAND_DRBG_uninstantiate(master))
&& TEST_int_eq(master->type, NID_sha256)
&& TEST_int_eq(master->flags, RAND_DRBG_FLAG_MASTER)
&& TEST_int_eq(public->type, RAND_DRBG_TYPE)
&& TEST_int_eq(public->flags,
RAND_DRBG_FLAGS | RAND_DRBG_FLAG_PUBLIC)
&& TEST_int_eq(private->type, RAND_DRBG_TYPE)
&& TEST_int_eq(private->flags,
RAND_DRBG_FLAGS | RAND_DRBG_FLAG_PRIVATE)
/* change private DRBG and check again */
&& TEST_true(RAND_DRBG_set_defaults(NID_sha256,
RAND_DRBG_FLAG_PRIVATE|RAND_DRBG_FLAG_HMAC))
&& TEST_true(RAND_DRBG_uninstantiate(private))
&& TEST_int_eq(master->type, NID_sha256)
&& TEST_int_eq(master->flags, RAND_DRBG_FLAG_MASTER)
&& TEST_int_eq(public->type, RAND_DRBG_TYPE)
&& TEST_int_eq(public->flags,
RAND_DRBG_FLAGS | RAND_DRBG_FLAG_PUBLIC)
&& TEST_int_eq(private->type, NID_sha256)
&& TEST_int_eq(private->flags,
RAND_DRBG_FLAG_PRIVATE | RAND_DRBG_FLAG_HMAC)
/* change public DRBG and check again */
&& TEST_true(RAND_DRBG_set_defaults(NID_sha1,
RAND_DRBG_FLAG_PUBLIC
| RAND_DRBG_FLAG_HMAC))
&& TEST_true(RAND_DRBG_uninstantiate(public))
&& TEST_int_eq(master->type, NID_sha256)
&& TEST_int_eq(master->flags, RAND_DRBG_FLAG_MASTER)
&& TEST_int_eq(public->type, NID_sha1)
&& TEST_int_eq(public->flags,
RAND_DRBG_FLAG_PUBLIC | RAND_DRBG_FLAG_HMAC)
&& TEST_int_eq(private->type, NID_sha256)
&& TEST_int_eq(private->flags,
RAND_DRBG_FLAG_PRIVATE | RAND_DRBG_FLAG_HMAC)
/* Change DRBG defaults and change public and check again */
&& TEST_true(RAND_DRBG_set_defaults(NID_sha256, 0))
&& TEST_true(RAND_DRBG_uninstantiate(public))
&& TEST_int_eq(public->type, NID_sha256)
&& TEST_int_eq(public->flags, RAND_DRBG_FLAG_PUBLIC)
/* Change DRBG defaults and change master and check again */
&& TEST_true(RAND_DRBG_set_defaults(NID_aes_256_ctr,
RAND_DRBG_FLAG_CTR_NO_DF))
&& TEST_true(RAND_DRBG_uninstantiate(master))
&& TEST_int_eq(master->type, NID_aes_256_ctr)
&& TEST_int_eq(master->flags,
RAND_DRBG_FLAG_MASTER|RAND_DRBG_FLAG_CTR_NO_DF);
}
int setup_tests(void)
{
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
@ -944,6 +1060,8 @@ int setup_tests(void)
ADD_ALL_TESTS(test_error_checks, OSSL_NELEM(drbg_test));
ADD_TEST(test_rand_reseed);
ADD_TEST(test_rand_add);
ADD_TEST(test_multi_set);
ADD_TEST(test_set_defaults);
#if defined(OPENSSL_THREADS)
ADD_TEST(test_multi_thread);
#endif

1091
test/drbgtest.h
View file

File diff suppressed because it is too large Load diff