2017-06-28 00:04:37 +08:00
|
|
|
/*
|
|
|
|
* Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
*
|
|
|
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
* https://www.openssl.org/source/license.html
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <string.h>
|
2017-08-22 20:35:43 +08:00
|
|
|
#include "internal/nelem.h"
|
2017-06-28 00:04:37 +08:00
|
|
|
#include <openssl/crypto.h>
|
|
|
|
#include <openssl/err.h>
|
|
|
|
#include <openssl/rand.h>
|
|
|
|
#include <openssl/obj_mac.h>
|
|
|
|
#include <openssl/evp.h>
|
|
|
|
#include <openssl/aes.h>
|
|
|
|
#include "../crypto/rand/rand_lcl.h"
|
|
|
|
|
|
|
|
#include "testutil.h"
|
|
|
|
#include "drbgtest.h"
|
|
|
|
|
|
|
|
typedef struct drbg_selftest_data_st {
|
|
|
|
int post;
|
|
|
|
int nid;
|
|
|
|
unsigned int flags;
|
|
|
|
|
|
|
|
/* KAT data for no PR */
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
const unsigned char *entropy;
|
|
|
|
size_t entropylen;
|
2017-06-28 00:04:37 +08:00
|
|
|
const unsigned char *nonce;
|
|
|
|
size_t noncelen;
|
|
|
|
const unsigned char *pers;
|
|
|
|
size_t perslen;
|
|
|
|
const unsigned char *adin;
|
|
|
|
size_t adinlen;
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
const unsigned char *entropyreseed;
|
|
|
|
size_t entropyreseedlen;
|
2017-06-28 00:04:37 +08:00
|
|
|
const unsigned char *adinreseed;
|
|
|
|
size_t adinreseedlen;
|
|
|
|
const unsigned char *adin2;
|
|
|
|
size_t adin2len;
|
|
|
|
const unsigned char *expected;
|
|
|
|
size_t exlen;
|
|
|
|
const unsigned char *kat2;
|
|
|
|
size_t kat2len;
|
|
|
|
|
|
|
|
/* KAT data for PR */
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
const unsigned char *entropy_pr;
|
|
|
|
size_t entropylen_pr;
|
2017-06-28 00:04:37 +08:00
|
|
|
const unsigned char *nonce_pr;
|
|
|
|
size_t noncelen_pr;
|
|
|
|
const unsigned char *pers_pr;
|
|
|
|
size_t perslen_pr;
|
|
|
|
const unsigned char *adin_pr;
|
|
|
|
size_t adinlen_pr;
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
const unsigned char *entropypr_pr;
|
|
|
|
size_t entropyprlen_pr;
|
2017-06-28 00:04:37 +08:00
|
|
|
const unsigned char *ading_pr;
|
|
|
|
size_t adinglen_pr;
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
const unsigned char *entropyg_pr;
|
|
|
|
size_t entropyglen_pr;
|
2017-06-28 00:04:37 +08:00
|
|
|
const unsigned char *kat_pr;
|
|
|
|
size_t katlen_pr;
|
|
|
|
const unsigned char *kat2_pr;
|
|
|
|
size_t kat2len_pr;
|
|
|
|
} DRBG_SELFTEST_DATA;
|
|
|
|
|
|
|
|
#define make_drbg_test_data(nid, flag, pr, post) {\
|
|
|
|
post, nid, flag, \
|
|
|
|
pr##_entropyinput, sizeof(pr##_entropyinput), \
|
|
|
|
pr##_nonce, sizeof(pr##_nonce), \
|
|
|
|
pr##_personalizationstring, sizeof(pr##_personalizationstring), \
|
|
|
|
pr##_additionalinput, sizeof(pr##_additionalinput), \
|
|
|
|
pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
|
|
|
|
pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
|
|
|
|
pr##_additionalinput2, sizeof(pr##_additionalinput2), \
|
|
|
|
pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
|
|
|
|
pr##_returnedbits, sizeof(pr##_returnedbits), \
|
|
|
|
pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
|
|
|
|
pr##_pr_nonce, sizeof(pr##_pr_nonce), \
|
|
|
|
pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
|
|
|
|
pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
|
|
|
|
pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
|
|
|
|
pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
|
|
|
|
pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
|
|
|
|
pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
|
|
|
|
pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \
|
|
|
|
}
|
|
|
|
|
|
|
|
#define make_drbg_test_data_df(nid, pr, p) \
|
|
|
|
make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_USE_DF, pr, p)
|
|
|
|
|
|
|
|
static DRBG_SELFTEST_DATA drbg_test[] = {
|
|
|
|
make_drbg_test_data (NID_aes_128_ctr, 0, aes_128_no_df, 0),
|
|
|
|
make_drbg_test_data (NID_aes_192_ctr, 0, aes_192_no_df, 0),
|
|
|
|
make_drbg_test_data (NID_aes_256_ctr, 0, aes_256_no_df, 1),
|
2017-08-03 21:23:28 +08:00
|
|
|
make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
|
|
|
|
make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
|
|
|
|
make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
|
2017-06-28 00:04:37 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
static int app_data_index;
|
|
|
|
|
|
|
|
/*
|
2017-08-03 21:23:28 +08:00
|
|
|
* Test context data, attached as EXDATA to the RAND_DRBG
|
2017-06-28 00:04:37 +08:00
|
|
|
*/
|
|
|
|
typedef struct test_ctx_st {
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
const unsigned char *entropy;
|
|
|
|
size_t entropylen;
|
|
|
|
int entropycnt;
|
2017-06-28 00:04:37 +08:00
|
|
|
const unsigned char *nonce;
|
|
|
|
size_t noncelen;
|
|
|
|
int noncecnt;
|
|
|
|
} TEST_CTX;
|
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
|
2017-06-28 00:04:37 +08:00
|
|
|
int entropy, size_t min_len, size_t max_len)
|
|
|
|
{
|
2017-08-03 21:23:28 +08:00
|
|
|
TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
|
2017-06-28 00:04:37 +08:00
|
|
|
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t->entropycnt++;
|
|
|
|
*pout = (unsigned char *)t->entropy;
|
|
|
|
return t->entropylen;
|
2017-06-28 00:04:37 +08:00
|
|
|
}
|
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
|
2017-06-28 00:04:37 +08:00
|
|
|
int entropy, size_t min_len, size_t max_len)
|
|
|
|
{
|
2017-08-03 21:23:28 +08:00
|
|
|
TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
|
2017-06-28 00:04:37 +08:00
|
|
|
|
|
|
|
t->noncecnt++;
|
|
|
|
*pout = (unsigned char *)t->nonce;
|
|
|
|
return t->noncelen;
|
|
|
|
}
|
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
static int uninstantiate(RAND_DRBG *drbg)
|
2017-06-28 00:04:37 +08:00
|
|
|
{
|
2017-08-03 21:23:28 +08:00
|
|
|
int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
|
2017-06-28 00:04:37 +08:00
|
|
|
|
|
|
|
ERR_clear_error();
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Do a single KAT test. Return 0 on failure.
|
|
|
|
*/
|
|
|
|
static int single_kat(DRBG_SELFTEST_DATA *td)
|
|
|
|
{
|
2017-08-03 21:23:28 +08:00
|
|
|
RAND_DRBG *drbg = NULL;
|
2017-06-28 00:04:37 +08:00
|
|
|
TEST_CTX t;
|
|
|
|
int failures = 0;
|
|
|
|
unsigned char buff[1024];
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Test without PR: Instantiate DRBG with test entropy, nonce and
|
|
|
|
* personalisation string.
|
|
|
|
*/
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
|
2017-06-28 00:04:37 +08:00
|
|
|
return 0;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
2017-06-28 00:04:37 +08:00
|
|
|
kat_nonce, NULL))) {
|
|
|
|
failures++;
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
memset(&t, 0, sizeof(t));
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropy = td->entropy;
|
|
|
|
t.entropylen = td->entropylen;
|
2017-06-28 00:04:37 +08:00
|
|
|
t.nonce = td->nonce;
|
|
|
|
t.noncelen = td->noncelen;
|
2017-08-03 21:23:28 +08:00
|
|
|
RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_true(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
|
|
|
|
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
|
2017-06-28 00:04:37 +08:00
|
|
|
td->adin, td->adinlen))
|
|
|
|
|| !TEST_mem_eq(td->expected, td->exlen, buff, td->exlen))
|
|
|
|
failures++;
|
|
|
|
|
|
|
|
/* Reseed DRBG with test entropy and additional input */
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropy = td->entropyreseed;
|
|
|
|
t.entropylen = td->entropyreseedlen;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_true(RAND_DRBG_reseed(drbg, td->adinreseed, td->adinreseedlen)
|
|
|
|
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->kat2len, 0,
|
2017-06-28 00:04:37 +08:00
|
|
|
td->adin2, td->adin2len))
|
|
|
|
|| !TEST_mem_eq(td->kat2, td->kat2len, buff, td->kat2len)))
|
|
|
|
failures++;
|
2017-08-03 21:23:28 +08:00
|
|
|
uninstantiate(drbg);
|
2017-06-28 00:04:37 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Now test with PR: Instantiate DRBG with test entropy, nonce and
|
|
|
|
* personalisation string.
|
|
|
|
*/
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_true(RAND_DRBG_set(drbg, td->nid, td->flags))
|
|
|
|
|| !TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
2017-06-28 00:04:37 +08:00
|
|
|
kat_nonce, NULL)))
|
|
|
|
failures++;
|
2017-08-03 21:23:28 +08:00
|
|
|
RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropy = td->entropy_pr;
|
|
|
|
t.entropylen = td->entropylen_pr;
|
2017-06-28 00:04:37 +08:00
|
|
|
t.nonce = td->nonce_pr;
|
|
|
|
t.noncelen = td->noncelen_pr;
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropycnt = 0;
|
2017-06-28 00:04:37 +08:00
|
|
|
t.noncecnt = 0;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_true(RAND_DRBG_instantiate(drbg, td->pers_pr, td->perslen_pr)))
|
2017-06-28 00:04:37 +08:00
|
|
|
failures++;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now generate with PR: we need to supply entropy as this will
|
|
|
|
* perform a reseed operation.
|
|
|
|
*/
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropy = td->entropypr_pr;
|
|
|
|
t.entropylen = td->entropyprlen_pr;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->katlen_pr, 1,
|
2017-06-28 00:04:37 +08:00
|
|
|
td->adin_pr, td->adinlen_pr))
|
|
|
|
|| !TEST_mem_eq(td->kat_pr, td->katlen_pr, buff, td->katlen_pr))
|
|
|
|
failures++;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now generate again with PR: supply new entropy again.
|
|
|
|
*/
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropy = td->entropyg_pr;
|
|
|
|
t.entropylen = td->entropyglen_pr;
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->kat2len_pr, 1,
|
2017-06-28 00:04:37 +08:00
|
|
|
td->ading_pr, td->adinglen_pr))
|
|
|
|
|| !TEST_mem_eq(td->kat2_pr, td->kat2len_pr,
|
|
|
|
buff, td->kat2len_pr))
|
|
|
|
failures++;
|
|
|
|
|
|
|
|
err:
|
2017-08-03 21:23:28 +08:00
|
|
|
uninstantiate(drbg);
|
|
|
|
RAND_DRBG_free(drbg);
|
2017-06-28 00:04:37 +08:00
|
|
|
return failures == 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Initialise a DRBG based on selftest data
|
|
|
|
*/
|
2017-08-03 21:23:28 +08:00
|
|
|
static int init(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td, TEST_CTX *t)
|
2017-06-28 00:04:37 +08:00
|
|
|
{
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_true(RAND_DRBG_set(drbg, td->nid, td->flags))
|
|
|
|
|| !TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
2017-06-28 00:04:37 +08:00
|
|
|
kat_nonce, NULL)))
|
|
|
|
return 0;
|
2017-08-03 21:23:28 +08:00
|
|
|
RAND_DRBG_set_ex_data(drbg, app_data_index, t);
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t->entropy = td->entropy;
|
|
|
|
t->entropylen = td->entropylen;
|
2017-06-28 00:04:37 +08:00
|
|
|
t->nonce = td->nonce;
|
|
|
|
t->noncelen = td->noncelen;
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t->entropycnt = 0;
|
2017-06-28 00:04:37 +08:00
|
|
|
t->noncecnt = 0;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Initialise and instantiate DRBG based on selftest data
|
|
|
|
*/
|
2017-08-03 21:23:28 +08:00
|
|
|
static int instantiate(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td,
|
2017-06-28 00:04:37 +08:00
|
|
|
TEST_CTX *t)
|
|
|
|
{
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_true(init(drbg, td, t))
|
|
|
|
|| !TEST_true(RAND_DRBG_instantiate(drbg, td->pers, td->perslen)))
|
2017-06-28 00:04:37 +08:00
|
|
|
return 0;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Perform extensive error checking as required by SP800-90.
|
|
|
|
* Induce several failure modes and check an error condition is set.
|
|
|
|
*/
|
|
|
|
static int error_check(DRBG_SELFTEST_DATA *td)
|
|
|
|
{
|
2017-08-03 21:23:28 +08:00
|
|
|
static char zero[sizeof(RAND_DRBG)];
|
|
|
|
RAND_DRBG *drbg = NULL;
|
2017-06-28 00:04:37 +08:00
|
|
|
TEST_CTX t;
|
|
|
|
unsigned char buff[1024];
|
|
|
|
unsigned int reseed_counter_tmp;
|
|
|
|
int ret = 0;
|
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Personalisation string tests
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Test detection of too large personlisation string */
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!init(drbg, td, &t)
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
|| RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1) > 0)
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Entropy source tests
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Test entropy source failure detecion: i.e. returns no data */
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropylen = 0;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (TEST_int_le(RAND_DRBG_instantiate(drbg, td->pers, td->perslen), 0))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Try to generate output from uninstantiated DRBG */
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
|
2017-06-28 00:04:37 +08:00
|
|
|
td->adin, td->adinlen))
|
2017-08-03 21:23:28 +08:00
|
|
|
|| !uninstantiate(drbg))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Test insufficient entropy */
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropylen = drbg->min_entropylen - 1;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!init(drbg, td, &t)
|
|
|
|
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|
|
|
|
|| !uninstantiate(drbg))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Test too much entropy */
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropylen = drbg->max_entropylen + 1;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!init(drbg, td, &t)
|
|
|
|
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|
|
|
|
|| !uninstantiate(drbg))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Nonce tests
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Test too small nonce */
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
if (drbg->min_noncelen) {
|
|
|
|
t.noncelen = drbg->min_noncelen - 1;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!init(drbg, td, &t)
|
|
|
|
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|
|
|
|
|| !uninstantiate(drbg))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Test too large nonce */
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
if (drbg->max_noncelen) {
|
|
|
|
t.noncelen = drbg->max_noncelen + 1;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!init(drbg, td, &t)
|
|
|
|
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|
|
|
|
|| !uninstantiate(drbg))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Instantiate with valid data, Check generation is now OK */
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!instantiate(drbg, td, &t)
|
|
|
|
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
|
2017-06-28 00:04:37 +08:00
|
|
|
td->adin, td->adinlen)))
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Request too much data for one request */
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_false(RAND_DRBG_generate(drbg, buff, drbg->max_request + 1, 0,
|
2017-06-28 00:04:37 +08:00
|
|
|
td->adin, td->adinlen)))
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Try too large additional input */
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
td->adin, drbg->max_adinlen + 1)))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check prediction resistance request fails if entropy source
|
|
|
|
* failure.
|
|
|
|
*/
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropylen = 0;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 1,
|
2017-06-28 00:04:37 +08:00
|
|
|
td->adin, td->adinlen))
|
2017-08-03 21:23:28 +08:00
|
|
|
|| !uninstantiate(drbg))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
2017-07-20 06:18:16 +08:00
|
|
|
/* Instantiate again with valid data */
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!instantiate(drbg, td, &t))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
2017-08-03 21:23:28 +08:00
|
|
|
reseed_counter_tmp = drbg->reseed_counter;
|
|
|
|
drbg->reseed_counter = drbg->reseed_interval;
|
2017-06-28 00:04:37 +08:00
|
|
|
|
|
|
|
/* Generate output and check entropy has been requested for reseed */
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropycnt = 0;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
|
2017-06-28 00:04:37 +08:00
|
|
|
td->adin, td->adinlen))
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
|| !TEST_int_eq(t.entropycnt, 1)
|
2017-08-03 21:23:28 +08:00
|
|
|
|| !TEST_int_eq(drbg->reseed_counter, reseed_counter_tmp + 1)
|
|
|
|
|| !uninstantiate(drbg))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check prediction resistance request fails if entropy source
|
|
|
|
* failure.
|
|
|
|
*/
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropylen = 0;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 1,
|
2017-06-28 00:04:37 +08:00
|
|
|
td->adin, td->adinlen))
|
2017-08-03 21:23:28 +08:00
|
|
|
|| !uninstantiate(drbg))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Test reseed counter works */
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!instantiate(drbg, td, &t))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
2017-08-03 21:23:28 +08:00
|
|
|
reseed_counter_tmp = drbg->reseed_counter;
|
|
|
|
drbg->reseed_counter = drbg->reseed_interval;
|
2017-06-28 00:04:37 +08:00
|
|
|
|
|
|
|
/* Generate output and check entropy has been requested for reseed */
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropycnt = 0;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
|
2017-06-28 00:04:37 +08:00
|
|
|
td->adin, td->adinlen))
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
|| !TEST_int_eq(t.entropycnt, 1)
|
2017-08-03 21:23:28 +08:00
|
|
|
|| !TEST_int_eq(drbg->reseed_counter, reseed_counter_tmp + 1)
|
|
|
|
|| !uninstantiate(drbg))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Explicit reseed tests
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Test explicit reseed with too large additional input */
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!init(drbg, td, &t)
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
|| RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1) > 0)
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Test explicit reseed with entropy source failure */
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropylen = 0;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen), 0)
|
|
|
|
|| !uninstantiate(drbg))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Test explicit reseed with too much entropy */
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!init(drbg, td, &t))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropylen = drbg->max_entropylen + 1;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen), 0)
|
|
|
|
|| !uninstantiate(drbg))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Test explicit reseed with too little entropy */
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!init(drbg, td, &t))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
DRBG: clarify difference between entropy counts and buffer lengths
Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.
To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:
- {min,max}_{entropy,adin,nonce,pers}
+ {min,max}_{entropy,adin,nonce,pers}len
This change makes naming also more consistent, as can be seen in the
diffs, for example:
- else if (adinlen > drbg->max_adin) {
+ else if (adinlen > drbg->max_adinlen) {
Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
2017-08-21 05:02:46 +08:00
|
|
|
t.entropylen = drbg->min_entropylen - 1;
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen), 0)
|
|
|
|
|| !uninstantiate(drbg))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Standard says we have to check uninstantiate really zeroes */
|
2017-08-03 21:23:28 +08:00
|
|
|
if (!TEST_mem_eq(zero, sizeof(drbg->ctr), &drbg->ctr, sizeof(drbg->ctr)))
|
2017-06-28 00:04:37 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
ret = 1;
|
|
|
|
|
|
|
|
err:
|
2017-08-03 21:23:28 +08:00
|
|
|
uninstantiate(drbg);
|
|
|
|
RAND_DRBG_free(drbg);
|
2017-06-28 00:04:37 +08:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int test_kats(int i)
|
|
|
|
{
|
|
|
|
DRBG_SELFTEST_DATA *td = &drbg_test[i];
|
|
|
|
int rv = 0;
|
|
|
|
|
|
|
|
if (!single_kat(td))
|
|
|
|
goto err;
|
|
|
|
rv = 1;
|
|
|
|
|
|
|
|
err:
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int test_error_checks(int i)
|
|
|
|
{
|
|
|
|
DRBG_SELFTEST_DATA *td = &drbg_test[i];
|
|
|
|
int rv = 0;
|
|
|
|
|
|
|
|
if (error_check(td))
|
|
|
|
goto err;
|
|
|
|
rv = 1;
|
|
|
|
|
|
|
|
err:
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|
2017-08-03 21:23:28 +08:00
|
|
|
#define RAND_ADD_SIZE 500
|
|
|
|
|
2017-08-16 05:39:03 +08:00
|
|
|
static int test_rand_add(void)
|
2017-08-03 21:23:28 +08:00
|
|
|
{
|
|
|
|
char *p;
|
|
|
|
|
2017-09-01 05:16:22 +08:00
|
|
|
if (!TEST_ptr(p = calloc(RAND_ADD_SIZE, 1)))
|
2017-08-03 21:23:28 +08:00
|
|
|
return 0;
|
|
|
|
RAND_add(p, RAND_ADD_SIZE, RAND_ADD_SIZE);
|
|
|
|
free(p);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2017-06-28 00:04:37 +08:00
|
|
|
|
2017-07-18 09:48:27 +08:00
|
|
|
int setup_tests(void)
|
2017-06-28 00:04:37 +08:00
|
|
|
{
|
|
|
|
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
|
|
|
|
|
|
|
|
ADD_ALL_TESTS(test_kats, OSSL_NELEM(drbg_test));
|
|
|
|
ADD_ALL_TESTS(test_error_checks, OSSL_NELEM(drbg_test));
|
2017-08-03 21:23:28 +08:00
|
|
|
ADD_TEST(test_rand_add);
|
2017-07-18 09:48:27 +08:00
|
|
|
return 1;
|
2017-06-28 00:04:37 +08:00
|
|
|
}
|