diff options
author | Rich Salz <rsalz@openssl.org> | 2017-06-27 12:04:37 -0400 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2017-07-19 03:25:16 -0400 |
commit | 12fb8c3d2dd00f3d4f1b084385403d26ed64a596 (patch) | |
tree | 7fc90f8f80e16ab4e8b79def2162a56dd2d704dc /test/drbgtest.c | |
parent | 0299f3f790437d124d15f60489c774407325f82b (diff) | |
download | openssl-12fb8c3d2dd00f3d4f1b084385403d26ed64a596.tar.gz |
Add DRBG random method
Ported from the last FIPS release, with DUAL_EC and SHA1 and the
self-tests removed. Since only AES-CTR is supported, other code
simplifications were done. Removed the "entropy blocklen" concept.
Moved internal functions to new include/internal/rand.h.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3789)
Diffstat (limited to 'test/drbgtest.c')
-rw-r--r-- | test/drbgtest.c | 490 |
1 files changed, 490 insertions, 0 deletions
diff --git a/test/drbgtest.c b/test/drbgtest.c new file mode 100644 index 0000000000..80d0b8b590 --- /dev/null +++ b/test/drbgtest.c @@ -0,0 +1,490 @@ +/* + * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <string.h> +#include "e_os.h" +#include <openssl/crypto.h> +#include <openssl/err.h> +#include <openssl/rand.h> +#include <openssl/obj_mac.h> +#include <openssl/evp.h> +#include <openssl/aes.h> +#include "../crypto/rand/rand_lcl.h" + +#include "testutil.h" +#include "drbgtest.h" + +typedef struct drbg_selftest_data_st { + int post; + int nid; + unsigned int flags; + + /* KAT data for no PR */ + const unsigned char *ent; + size_t entlen; + const unsigned char *nonce; + size_t noncelen; + const unsigned char *pers; + size_t perslen; + const unsigned char *adin; + size_t adinlen; + const unsigned char *entreseed; + size_t entreseedlen; + const unsigned char *adinreseed; + size_t adinreseedlen; + const unsigned char *adin2; + size_t adin2len; + const unsigned char *expected; + size_t exlen; + const unsigned char *kat2; + size_t kat2len; + + /* KAT data for PR */ + const unsigned char *ent_pr; + size_t entlen_pr; + const unsigned char *nonce_pr; + size_t noncelen_pr; + const unsigned char *pers_pr; + size_t perslen_pr; + const unsigned char *adin_pr; + size_t adinlen_pr; + const unsigned char *entpr_pr; + size_t entprlen_pr; + const unsigned char *ading_pr; + size_t adinglen_pr; + const unsigned char *entg_pr; + size_t entglen_pr; + const unsigned char *kat_pr; + size_t katlen_pr; + const unsigned char *kat2_pr; + size_t kat2len_pr; +} DRBG_SELFTEST_DATA; + +#define make_drbg_test_data(nid, flag, pr, post) {\ + post, nid, flag, \ + pr##_entropyinput, sizeof(pr##_entropyinput), \ + pr##_nonce, sizeof(pr##_nonce), \ + pr##_personalizationstring, sizeof(pr##_personalizationstring), \ + pr##_additionalinput, sizeof(pr##_additionalinput), \ + pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \ + pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \ + pr##_additionalinput2, sizeof(pr##_additionalinput2), \ + pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \ + pr##_returnedbits, sizeof(pr##_returnedbits), \ + pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \ + pr##_pr_nonce, sizeof(pr##_pr_nonce), \ + pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \ + pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \ + pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \ + pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \ + pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \ + pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \ + pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \ + } + +#define make_drbg_test_data_df(nid, pr, p) \ + make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_USE_DF, pr, p) + +static DRBG_SELFTEST_DATA drbg_test[] = { + make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0), + make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0), + make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1), + make_drbg_test_data (NID_aes_128_ctr, 0, aes_128_no_df, 0), + make_drbg_test_data (NID_aes_192_ctr, 0, aes_192_no_df, 0), + make_drbg_test_data (NID_aes_256_ctr, 0, aes_256_no_df, 1), +}; + +static int app_data_index; + +/* + * Test context data, attached as appdata to the DRBG_CTX + */ +typedef struct test_ctx_st { + const unsigned char *ent; + size_t entlen; + int entcnt; + const unsigned char *nonce; + size_t noncelen; + int noncecnt; +} TEST_CTX; + +static size_t kat_entropy(DRBG_CTX *dctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(dctx, app_data_index); + + t->entcnt++; + *pout = (unsigned char *)t->ent; + return t->entlen; +} + +static size_t kat_nonce(DRBG_CTX *dctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(dctx, app_data_index); + + t->noncecnt++; + *pout = (unsigned char *)t->nonce; + return t->noncelen; +} + +static int uninstantiate(DRBG_CTX *dctx) +{ + int ret = dctx == NULL ? 1 : RAND_DRBG_uninstantiate(dctx); + + ERR_clear_error(); + return ret; +} + +/* + * Do a single KAT test. Return 0 on failure. + */ +static int single_kat(DRBG_SELFTEST_DATA *td) +{ + DRBG_CTX *dctx = NULL; + TEST_CTX t; + int failures = 0; + unsigned char buff[1024]; + + /* + * Test without PR: Instantiate DRBG with test entropy, nonce and + * personalisation string. + */ + if (!TEST_ptr(dctx = RAND_DRBG_new(td->nid, td->flags, NULL))) + return 0; + if (!TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL, + kat_nonce, NULL))) { + failures++; + goto err; + } + memset(&t, 0, sizeof(t)); + t.ent = td->ent; + t.entlen = td->entlen; + t.nonce = td->nonce; + t.noncelen = td->noncelen; + RAND_DRBG_set_ex_data(dctx, app_data_index, &t); + + if (!TEST_true(RAND_DRBG_instantiate(dctx, td->pers, td->perslen)) + || !TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0, + td->adin, td->adinlen)) + || !TEST_mem_eq(td->expected, td->exlen, buff, td->exlen)) + failures++; + + /* Reseed DRBG with test entropy and additional input */ + t.ent = td->entreseed; + t.entlen = td->entreseedlen; + if (!TEST_true(RAND_DRBG_reseed(dctx, td->adinreseed, td->adinreseedlen) + || !TEST_true(RAND_DRBG_generate(dctx, buff, td->kat2len, 0, + td->adin2, td->adin2len)) + || !TEST_mem_eq(td->kat2, td->kat2len, buff, td->kat2len))) + failures++; + uninstantiate(dctx); + + /* + * Now test with PR: Instantiate DRBG with test entropy, nonce and + * personalisation string. + */ + if (!TEST_true(RAND_DRBG_set(dctx, td->nid, td->flags)) + || !TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL, + kat_nonce, NULL))) + failures++; + RAND_DRBG_set_ex_data(dctx, app_data_index, &t); + t.ent = td->ent_pr; + t.entlen = td->entlen_pr; + t.nonce = td->nonce_pr; + t.noncelen = td->noncelen_pr; + t.entcnt = 0; + t.noncecnt = 0; + if (!TEST_true(RAND_DRBG_instantiate(dctx, td->pers_pr, td->perslen_pr))) + failures++; + + /* + * Now generate with PR: we need to supply entropy as this will + * perform a reseed operation. + */ + t.ent = td->entpr_pr; + t.entlen = td->entprlen_pr; + if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->katlen_pr, 1, + td->adin_pr, td->adinlen_pr)) + || !TEST_mem_eq(td->kat_pr, td->katlen_pr, buff, td->katlen_pr)) + failures++; + + /* + * Now generate again with PR: supply new entropy again. + */ + t.ent = td->entg_pr; + t.entlen = td->entglen_pr; + + if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->kat2len_pr, 1, + td->ading_pr, td->adinglen_pr)) + || !TEST_mem_eq(td->kat2_pr, td->kat2len_pr, + buff, td->kat2len_pr)) + failures++; + +err: + uninstantiate(dctx); + RAND_DRBG_free(dctx); + return failures == 0; +} + +/* + * Initialise a DRBG based on selftest data + */ +static int init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td, TEST_CTX *t) +{ + if (!TEST_true(RAND_DRBG_set(dctx, td->nid, td->flags)) + || !TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL, + kat_nonce, NULL))) + return 0; + RAND_DRBG_set_ex_data(dctx, app_data_index, t); + t->ent = td->ent; + t->entlen = td->entlen; + t->nonce = td->nonce; + t->noncelen = td->noncelen; + t->entcnt = 0; + t->noncecnt = 0; + return 1; +} + +/* + * Initialise and instantiate DRBG based on selftest data + */ +static int instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td, + TEST_CTX *t) +{ + if (!TEST_true(init(dctx, td, t)) + || !TEST_true(RAND_DRBG_instantiate(dctx, td->pers, td->perslen))) + return 0; + return 1; +} + +/* + * Perform extensive error checking as required by SP800-90. + * Induce several failure modes and check an error condition is set. + */ +static int error_check(DRBG_SELFTEST_DATA *td) +{ + static char zero[sizeof(DRBG_CTX)]; + DRBG_CTX *dctx = NULL; + TEST_CTX t; + unsigned char buff[1024]; + unsigned int reseed_counter_tmp; + int ret = 0; + + if (!TEST_ptr(dctx = RAND_DRBG_new(0, 0, NULL))) + goto err; + + /* + * Personalisation string tests + */ + + /* Test detection of too large personlisation string */ + if (!init(dctx, td, &t) + || RAND_DRBG_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) + goto err; + + /* + * Entropy source tests + */ + + /* Test entropy source failure detecion: i.e. returns no data */ + t.entlen = 0; + if (TEST_int_le(RAND_DRBG_instantiate(dctx, td->pers, td->perslen), 0)) + goto err; + + /* Try to generate output from uninstantiated DRBG */ + if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 0, + td->adin, td->adinlen)) + || !uninstantiate(dctx)) + goto err; + + /* Test insufficient entropy */ + t.entlen = dctx->min_entropy - 1; + if (!init(dctx, td, &t) + || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0 + || !uninstantiate(dctx)) + goto err; + + /* Test too much entropy */ + t.entlen = dctx->max_entropy + 1; + if (!init(dctx, td, &t) + || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0 + || !uninstantiate(dctx)) + goto err; + + /* + * Nonce tests + */ + + /* Test too small nonce */ + if (dctx->min_nonce) { + t.noncelen = dctx->min_nonce - 1; + if (!init(dctx, td, &t) + || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0 + || !uninstantiate(dctx)) + goto err; + } + + /* Test too large nonce */ + if (dctx->max_nonce) { + t.noncelen = dctx->max_nonce + 1; + if (!init(dctx, td, &t) + || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0 + || !uninstantiate(dctx)) + goto err; + } + + /* Instantiate with valid data, Check generation is now OK */ + if (!instantiate(dctx, td, &t) + || !TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0, + td->adin, td->adinlen))) + goto err; + + /* Request too much data for one request */ + if (!TEST_false(RAND_DRBG_generate(dctx, buff, dctx->max_request + 1, 0, + td->adin, td->adinlen))) + goto err; + + /* Try too large additional input */ + if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 0, + td->adin, dctx->max_adin + 1))) + goto err; + + /* + * Check prediction resistance request fails if entropy source + * failure. + */ + t.entlen = 0; + if (TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 1, + td->adin, td->adinlen)) + || !uninstantiate(dctx)) + goto err; + + /* Instantiate again with valid data */ + if (!instantiate(dctx, td, &t)) + goto err; + reseed_counter_tmp = dctx->reseed_counter; + dctx->reseed_counter = dctx->reseed_interval; + + /* Generate output and check entropy has been requested for reseed */ + t.entcnt = 0; + if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0, + td->adin, td->adinlen)) + || !TEST_int_eq(t.entcnt, 1) + || !TEST_int_eq(dctx->reseed_counter, reseed_counter_tmp + 1) + || !uninstantiate(dctx)) + goto err; + + /* + * Check prediction resistance request fails if entropy source + * failure. + */ + t.entlen = 0; + if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 1, + td->adin, td->adinlen)) + || !uninstantiate(dctx)) + goto err; + + /* Test reseed counter works */ + if (!instantiate(dctx, td, &t)) + goto err; + reseed_counter_tmp = dctx->reseed_counter; + dctx->reseed_counter = dctx->reseed_interval; + + /* Generate output and check entropy has been requested for reseed */ + t.entcnt = 0; + if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0, + td->adin, td->adinlen)) + || !TEST_int_eq(t.entcnt, 1) + || !TEST_int_eq(dctx->reseed_counter, reseed_counter_tmp + 1) + || !uninstantiate(dctx)) + goto err; + + /* + * Explicit reseed tests + */ + + /* Test explicit reseed with too large additional input */ + if (!init(dctx, td, &t) + || RAND_DRBG_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) + goto err; + + /* Test explicit reseed with entropy source failure */ + t.entlen = 0; + if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0) + || !uninstantiate(dctx)) + goto err; + + /* Test explicit reseed with too much entropy */ + if (!init(dctx, td, &t)) + goto err; + t.entlen = dctx->max_entropy + 1; + if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0) + || !uninstantiate(dctx)) + goto err; + + /* Test explicit reseed with too little entropy */ + if (!init(dctx, td, &t)) + goto err; + t.entlen = dctx->min_entropy - 1; + if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0) + || !uninstantiate(dctx)) + goto err; + + /* Standard says we have to check uninstantiate really zeroes */ + if (!TEST_mem_eq(zero, sizeof(dctx->ctr), &dctx->ctr, sizeof(dctx->ctr))) + goto err; + + ret = 1; + +err: + uninstantiate(dctx); + RAND_DRBG_free(dctx); + return ret; +} + +static int test_kats(int i) +{ + DRBG_SELFTEST_DATA *td = &drbg_test[i]; + int rv = 0; + + if (!single_kat(td)) + goto err; + rv = 1; + +err: + return rv; +} + +static int test_error_checks(int i) +{ + DRBG_SELFTEST_DATA *td = &drbg_test[i]; + int rv = 0; + + if (error_check(td)) + goto err; + rv = 1; + +err: + return rv; +} + + +int test_main(int argc, char *argv[]) +{ + if (argc != 1) { + TEST_error("Usage: %s", argv[0]); + return EXIT_FAILURE; + } + app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); + + ADD_ALL_TESTS(test_kats, OSSL_NELEM(drbg_test)); + ADD_ALL_TESTS(test_error_checks, OSSL_NELEM(drbg_test)); + return run_tests(argv[0]); +} |