Change RNG test to block oriented instead of request oriented, add option

to test a "stuck" DRBG.

diff --git a/crypto/fips_err.h b/crypto/fips_err.h
index c808c888644c460c214c40e6330cc0228350515b..97a73f1dc2bc44168a12fde269221017089bab27 100644 (file)
--- a/crypto/fips_err.h
+++ b/crypto/fips_err.h
@@ -71,6 +71,7 @@
 static ERR_STRING_DATA FIPS_str_functs[]=
        {
 {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS),        "DH_BUILTIN_GENPARAMS"},
+{ERR_FUNC(FIPS_F_DRBG_CPRNG_TEST),     "DRBG_CPRNG_TEST"},
 {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN),        "DSA_BUILTIN_PARAMGEN"},
 {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2),       "DSA_BUILTIN_PARAMGEN2"},
 {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"},
@@ -139,6 +140,7 @@ static ERR_STRING_DATA FIPS_str_reasons[]=
 {ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED),"generate error undetected"},
 {ERR_REASON(FIPS_R_INSTANTIATE_ERROR)    ,"instantiate error"},
 {ERR_REASON(FIPS_R_INSUFFICIENT_SECURITY_STRENGTH),"insufficient security strength"},
+{ERR_REASON(FIPS_R_INTERNAL_ERROR)       ,"internal error"},
 {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH)   ,"invalid key length"},
 {ERR_REASON(FIPS_R_IN_ERROR_STATE)       ,"in error state"},
 {ERR_REASON(FIPS_R_KEY_TOO_SHORT)        ,"key too short"},

diff --git a/fips/fips.h b/fips/fips.h
index 921591ba98313d813d5b3fe5c075d68094e70e9d..79160bbaace10f46a59638196d0de7f8b8df0086 100644 (file)
--- a/fips/fips.h
+++ b/fips/fips.h
@@ -92,6 +92,7 @@ void FIPS_corrupt_ec_keygen(void);
 void FIPS_corrupt_rng(void);
 void FIPS_corrupt_drbg(void);
 void FIPS_rng_stick(void);
+void FIPS_drbg_stick(void);
 int FIPS_selftest_rng(void);
 int FIPS_selftest_hmac(void);
 int FIPS_selftest_drbg(void);
@@ -188,6 +189,7 @@ void ERR_load_FIPS_strings(void);
 
 /* Function codes. */
 #define FIPS_F_DH_BUILTIN_GENPARAMS                     100
+#define FIPS_F_DRBG_CPRNG_TEST                          141
 #define FIPS_F_DSA_BUILTIN_PARAMGEN                     101
 #define FIPS_F_DSA_BUILTIN_PARAMGEN2                    126
 #define FIPS_F_DSA_DO_SIGN                              102
@@ -253,6 +255,7 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_R_GENERATE_ERROR_UNDETECTED                136
 #define FIPS_R_INSTANTIATE_ERROR                        125
 #define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH           132
+#define FIPS_R_INTERNAL_ERROR                           143
 #define FIPS_R_INVALID_KEY_LENGTH                       109
 #define FIPS_R_IN_ERROR_STATE                           126
 #define FIPS_R_KEY_TOO_SHORT                            108

diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c
index 6addef6386649108e5949a307fdad89a603c9ef3..aa7fbf814f0952a2af0e109c131c10b2879e8c7f 100644 (file)
--- a/fips/fips_test_suite.c
+++ b/fips/fips_test_suite.c
@@ -671,6 +671,7 @@ int main(int argc,char **argv)
     int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
     int bad_rsa = 0, bad_dsa = 0;
     int do_rng_stick = 0;
+    int do_drbg_stick = 0;
     int no_exit = 0;
 
     fips_algtest_init_nofips();
@@ -727,6 +728,10 @@ int main(int argc,char **argv)
            do_rng_stick = 1;
            no_exit = 1;
            printf("RNG test with stuck continuous test...\n");
+       } else if (!strcmp(argv[1], "drbgstick")) {
+           do_drbg_stick = 1;
+           no_exit = 1;
+           printf("DRBG test with stuck continuous test...\n");
         } else {
             printf("Bad argument \"%s\"\n", argv[1]);
             exit(1);
@@ -756,6 +761,8 @@ int main(int argc,char **argv)
             FIPS_corrupt_dsa_keygen();
     if (do_corrupt_rsa_keygen)
             FIPS_corrupt_rsa_keygen();
+    if (do_drbg_stick)
+            FIPS_drbg_stick();
     if (do_rng_stick)
             FIPS_rng_stick();
 

diff --git a/fips/rand/fips_drbg_ctr.c b/fips/rand/fips_drbg_ctr.c
index 0a5270dcefaf12cdd74feda359bda488279ca9f8..2a3c321618dcbc145d585f1a72f3bea22283c5e3 100644 (file)
--- a/fips/rand/fips_drbg_ctr.c
+++ b/fips/rand/fips_drbg_ctr.c
@@ -330,14 +330,24 @@ static int drbg_ctr_generate(DRBG_CTX *dctx,
        for (;;)
                {
                inc_128(cctx);
+               if (!(dctx->flags & DRBG_FLAG_TEST) && !dctx->lb_valid)
+                       {
+                       AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
+                       dctx->lb_valid = 1;
+                       continue;
+                       }
                if (outlen < 16)
                        {
                        /* Use K as temp space as it will be updated */
                        AES_encrypt(cctx->V, cctx->K, &cctx->ks);
+                       if (!drbg_cprng_test(dctx, cctx->K))
+                               return 0;
                        memcpy(out, cctx->K, outlen);
                        break;
                        }
                AES_encrypt(cctx->V, out, &cctx->ks);
+               if (!drbg_cprng_test(dctx, out))
+                       return 0;
                out += 16;
                outlen -= 16;
                if (outlen == 0)

diff --git a/fips/rand/fips_drbg_hash.c b/fips/rand/fips_drbg_hash.c
index b20d0726466af0f405fb89e4668a977882fdc5b0..8b49f33a63081f0dcc63965dd171451e19e96bc3 100644 (file)
--- a/fips/rand/fips_drbg_hash.c
+++ b/fips/rand/fips_drbg_hash.c
@@ -195,13 +195,23 @@ static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
                {
                FIPS_digestinit(&hctx->mctx, hctx->md);
                FIPS_digestupdate(&hctx->mctx, hctx->vtmp, dctx->seedlen);
+               if (!(dctx->flags & DRBG_FLAG_TEST) && !dctx->lb_valid)
+                       {
+                       FIPS_digestfinal(&hctx->mctx, dctx->lb, NULL);
+                       dctx->lb_valid = 1;
+                       continue;
+                       }
                if (outlen < dctx->blocklength)
                        {
                        FIPS_digestfinal(&hctx->mctx, hctx->vtmp, NULL);
+                       if (!drbg_cprng_test(dctx, hctx->vtmp))
+                               return 0;
                        memcpy(out, hctx->vtmp, outlen);
                        return 1;
                        }
                FIPS_digestfinal(&hctx->mctx, out, NULL);
+               if (!drbg_cprng_test(dctx, out))
+                       return 0;
                outlen -= dctx->blocklength;
                if (outlen == 0)
                        return 1;

diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c
index 5564538540ef6d324896831b1b9cb50dfaa64a11..920a61a97a71f07b3e96fba510c5e21147ecf5a3 100644 (file)
--- a/fips/rand/fips_drbg_lib.c
+++ b/fips/rand/fips_drbg_lib.c
@@ -268,8 +268,7 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
        }
 
 
-static int fips_drbg_generate_internal(DRBG_CTX *dctx,
-                       unsigned char *out, size_t outlen,
+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
                        int strength, int prediction_resistance,
                        const unsigned char *adin, size_t adinlen)
        {
@@ -323,76 +322,13 @@ static int fips_drbg_generate_internal(DRBG_CTX *dctx,
        if (r)
                {
                if (!(dctx->flags & DRBG_FLAG_NOERR))
-                       FIPSerr(FIPS_F_FIPS_DRBG_GENERATE_INTERNAL, r);
+                       FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
                return 0;
                }
 
        return 1;
        }
 
-/* external generate function: incorporates continuous RNG test if not
- * in test mode.
- */
-
-int FIPS_drbg_generate(DRBG_CTX *dctx,
-                       unsigned char *out, size_t outlen,
-                       int strength, int prediction_resistance,
-                       const unsigned char *adin, size_t adinlen)
-       {
-       unsigned char tmp[16], *pout;
-       size_t poutlen;
-       /* If test mode don't run continuous RNG test */
-       if (dctx->flags & DRBG_FLAG_TEST)
-               {
-               return fips_drbg_generate_internal(dctx, out, outlen,
-                                                       strength,
-                                                       prediction_resistance,
-                                                       adin, adinlen);
-               }
-       /* If this is the first call generate block and save buffer */
-       if (!dctx->lb_valid)
-               {
-               if (!fips_drbg_generate_internal(dctx, dctx->lb, 16,
-                                               strength, prediction_resistance,
-                                               adin, adinlen))
-                       return 0;
-               dctx->lb_valid = 1;
-               }
-
-       /* If request less that 16 bytes request 16 in temp buffer */
-
-       if (outlen < 16)
-               {
-               pout = tmp;
-               poutlen = 16;
-               }
-       else
-               {
-               pout = out;
-               poutlen = outlen;
-               }
-
-       /* Generate data */
-       if (!fips_drbg_generate_internal(dctx, pout, poutlen,
-                                               strength, prediction_resistance,
-                                               adin, adinlen))
-                       return 0;
-       /* Compare to last block for continuous PRNG test */
-       if (!memcmp(pout, dctx->lb, 16))
-               {
-               FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_DRBG_STUCK);
-               return 0;
-               }
-       /* Update last block */
-       memcpy(dctx->lb, pout, 16);
-       /* Copy to output buffer if needed */
-       if (outlen < 16)
-               memcpy(out, pout, outlen);
-
-       return 1;
-
-       }
-
 int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
        {
        int rv;
@@ -461,3 +397,37 @@ int FIPS_drbg_get_strength(DRBG_CTX *dctx)
        {
        return dctx->strength;
        }
+
+static int drbg_stick = 0;
+
+void FIPS_drbg_stick(void)
+       {
+       drbg_stick = 1;
+       }
+
+/* Continuous DRBG utility function */
+int drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
+       {
+       /* No CPRNG in test mode */
+       if (dctx->flags & DRBG_FLAG_TEST)
+               return 1;
+       /* Check block is valid: should never happen */
+       if (dctx->lb_valid == 0)
+               {
+               FIPSerr(FIPS_F_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
+               fips_set_selftest_fail();
+               return 0;
+               }
+       if (drbg_stick)
+               memcpy(dctx->lb, out, dctx->blocklength);
+       /* Check against last block: fail if match */
+       if (!memcmp(dctx->lb, out, dctx->blocklength))
+               {
+               FIPSerr(FIPS_F_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
+               fips_set_selftest_fail();
+               return 0;
+               }
+       /* Save last block for next comparison */
+       memcpy(dctx->lb, out, dctx->blocklength);
+       return 1;
+       }

diff --git a/fips/rand/fips_drbg_rand.c b/fips/rand/fips_drbg_rand.c
index f179bd82a9259c48675123a797f45fe3e8dea688..4e02fd94081555d33439b9296c23e866d61fafec 100644 (file)
--- a/fips/rand/fips_drbg_rand.c
+++ b/fips/rand/fips_drbg_rand.c
@@ -117,6 +117,13 @@ static int fips_drbg_bytes(unsigned char *out, int count)
        return rv;
        }
 
+static int fips_drbg_pseudo(unsigned char *out, int count)
+       {
+       if (fips_drbg_bytes(out, count) <= 0)
+               return -1;
+       return 1;
+       }
+
 static int fips_drbg_status(void)
        {
        DRBG_CTX *dctx = &ossl_dctx;
@@ -168,7 +175,7 @@ static const RAND_METHOD rand_drbg_meth =
        fips_drbg_bytes,
        fips_drbg_cleanup,
        fips_drbg_add,
-       fips_drbg_bytes,
+       fips_drbg_pseudo,
        fips_drbg_status
        };
 

diff --git a/fips/rand/fips_rand_lcl.h b/fips/rand/fips_rand_lcl.h
index e3859163a3e3a9c6b0f7a54dd92c010fb807924b..2d63409537bf6f5a1df50ca3ed88513c7b3c1efb 100644 (file)
--- a/fips/rand/fips_rand_lcl.h
+++ b/fips/rand/fips_rand_lcl.h
@@ -100,6 +100,10 @@ struct drbg_ctr_ctx_st
 /* A default maximum length: larger than any reasonable value used in pratice */
 
 #define DRBG_MAX_LENGTH                        0x7ffffff0
+/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
+ * so use max digest length.
+ */
+#define DRBG_MAX_BLOCK                 EVP_MAX_MD_SIZE
 
 /* DRBG context structure */
 
@@ -163,7 +167,7 @@ struct drbg_ctx_st
 
        /* Continuous random number test temporary area */
        /* Last block */        
-       unsigned char lb[16];
+       unsigned char lb[EVP_MAX_MD_SIZE];
        /* set if lb is valid */
        int lb_valid;
 
@@ -181,3 +185,4 @@ struct drbg_ctx_st
 int fips_drbg_ctr_init(DRBG_CTX *dctx);
 int fips_drbg_hash_init(DRBG_CTX *dctx);
 int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
+int drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);