1 /* fips/rand/fips_drbg_selftest.c */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5 /* ====================================================================
6 * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
54 #define OPENSSL_FIPSAPI
57 #include <openssl/crypto.h>
58 #include <openssl/err.h>
59 #include <openssl/fips_rand.h>
60 #include "fips_rand_lcl.h"
61 #include "fips_locl.h"
63 #include "fips_drbg_selftest.h"
69 /* KAT data for no PR */
70 const unsigned char *ent;
72 const unsigned char *nonce;
74 const unsigned char *pers;
76 const unsigned char *adin;
78 const unsigned char *entreseed;
80 const unsigned char *adinreseed;
82 const unsigned char *adin2;
84 const unsigned char *kat;
86 const unsigned char *kat2;
90 const unsigned char *ent_pr;
92 const unsigned char *nonce_pr;
94 const unsigned char *pers_pr;
96 const unsigned char *adin_pr;
98 const unsigned char *entpr_pr;
100 const unsigned char *ading_pr;
102 const unsigned char *entg_pr;
104 const unsigned char *kat_pr;
106 const unsigned char *kat2_pr;
109 } DRBG_SELFTEST_DATA;
111 #define make_drbg_test_data(nid, flag, pr) { nid, flag | DRBG_FLAG_TEST, \
112 pr##_entropyinput, sizeof(pr##_entropyinput), \
113 pr##_nonce, sizeof(pr##_nonce), \
114 pr##_personalizationstring, sizeof(pr##_personalizationstring), \
115 pr##_additionalinput, sizeof(pr##_additionalinput), \
116 pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
117 pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
118 pr##_additionalinput2, sizeof(pr##_additionalinput2), \
119 pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
120 pr##_returnedbits, sizeof(pr##_returnedbits), \
121 pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
122 pr##_pr_nonce, sizeof(pr##_pr_nonce), \
123 pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
124 pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
125 pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
126 pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
127 pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
128 pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
129 pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
132 #define make_drbg_test_data_df(nid, pr) \
133 make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr)
135 static DRBG_SELFTEST_DATA drbg_test[] = {
136 make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df),
137 make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df),
138 make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df),
139 make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df),
140 make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df),
141 make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df),
142 make_drbg_test_data(NID_sha1, 0, sha1),
143 make_drbg_test_data(NID_sha224, 0, sha224),
144 make_drbg_test_data(NID_sha256, 0, sha256),
145 make_drbg_test_data(NID_sha384, 0, sha384),
146 make_drbg_test_data(NID_sha512, 0, sha512),
147 make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1),
148 make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224),
149 make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256),
150 make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384),
151 make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512),
157 const unsigned char *ent;
160 const unsigned char *nonce;
165 static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
166 int entropy, size_t min_len, size_t max_len)
168 TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
169 *pout = (unsigned char *)t->ent;
174 static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
175 int entropy, size_t min_len, size_t max_len)
177 TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
178 *pout = (unsigned char *)t->nonce;
183 static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
188 unsigned char randout[1024];
190 /* Initial test without PR */
192 if (!FIPS_drbg_init(dctx, td->nid, td->flags))
194 if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
197 FIPS_drbg_set_app_data(dctx, &t);
200 t.entlen = td->entlen;
202 t.noncelen = td->noncelen;
206 if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
209 /* Note for CTR without DF some additional input values
210 * ignore bytes after the keylength: so reduce adinlen
211 * to half to ensure invalid data is fed in.
213 if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->flags))
214 adinlen = td->adinlen / 2;
216 adinlen = td->adinlen;
217 if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
221 if (memcmp(randout, td->kat, td->katlen))
224 t.ent = td->entreseed;
225 t.entlen = td->entreseedlen;
227 if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
230 if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0, 0,
231 td->adin2, td->adin2len))
234 if (memcmp(randout, td->kat2, td->kat2len))
237 FIPS_drbg_uninstantiate(dctx);
239 /* Now test with PR */
240 if (!FIPS_drbg_init(dctx, td->nid, td->flags))
242 if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
245 FIPS_drbg_set_app_data(dctx, &t);
248 t.entlen = td->entlen_pr;
249 t.nonce = td->nonce_pr;
250 t.noncelen = td->noncelen_pr;
254 if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
257 t.ent = td->entpr_pr;
258 t.entlen = td->entprlen_pr;
260 /* Note for CTR without DF some additional input values
261 * ignore bytes after the keylength: so reduce adinlen
262 * to half to ensure invalid data is fed in.
264 if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->flags))
265 adinlen = td->adinlen_pr / 2;
267 adinlen = td->adinlen_pr;
268 if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 0, 1,
269 td->adin_pr, adinlen))
272 if (memcmp(randout, td->kat_pr, td->katlen_pr))
276 t.entlen = td->entglen_pr;
278 if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 0, 1,
279 td->ading_pr, td->adinglen_pr))
282 if (memcmp(randout, td->kat2_pr, td->kat2len_pr))
289 FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
290 FIPS_drbg_uninstantiate(dctx);
296 /* This is the "health check" function required by SP800-90. Induce several
297 * failure modes and check an error condition is set.
300 static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
302 unsigned char randout[1024];
305 unsigned char *p = (unsigned char *)dctx;
307 /* Initialise DRBG */
309 if (!FIPS_drbg_init(dctx, td->nid, td->flags))
312 if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
315 FIPS_drbg_set_app_data(dctx, &t);
318 t.entlen = td->entlen;
320 t.noncelen = td->noncelen;
324 /* Don't report induced errors */
325 dctx->flags |= DRBG_FLAG_NOERR;
327 /* Try too large a personalisation length */
328 if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0)
330 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
334 /* Test entropy source failure detection */
337 if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
339 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
343 /* Try to generate output from uninstantiated DRBG */
344 if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
345 td->adin, td->adinlen))
347 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_GENERATE_ERROR_UNDETECTED);
351 dctx->flags &= ~DRBG_FLAG_NOERR;
352 if (!FIPS_drbg_uninstantiate(dctx))
354 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
358 /* Instantiate with valid data. NB: errors now reported again */
359 if (!FIPS_drbg_init(dctx, td->nid, td->flags))
361 if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
363 FIPS_drbg_set_app_data(dctx, &t);
365 t.entlen = td->entlen;
366 if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
369 /* Check generation is now OK */
370 if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
371 td->adin, td->adinlen))
374 /* Try to generate with too high a strength.
377 dctx->flags |= DRBG_FLAG_NOERR;
378 if (dctx->strength != 256)
380 if (FIPS_drbg_generate(dctx, randout, td->katlen, 256, 0,
381 td->adin, td->adinlen))
383 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_STRENGTH_ERROR_UNDETECTED);
389 /* Request too much data for one request */
390 if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, 0,
391 td->adin, td->adinlen))
393 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
397 /* Check prediction resistance request fails if entropy source
403 if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
404 td->adin, td->adinlen))
406 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
410 dctx->flags &= ~DRBG_FLAG_NOERR;
412 if (!FIPS_drbg_uninstantiate(dctx))
414 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
419 /* Instantiate again with valid data */
421 if (!FIPS_drbg_init(dctx, td->nid, td->flags))
423 if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
425 FIPS_drbg_set_app_data(dctx, &t);
427 t.entlen = td->entlen;
428 /* Test reseeding works */
429 dctx->reseed_interval = 2;
430 if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
433 /* Check generation is now OK */
434 if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
435 td->adin, td->adinlen))
437 if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
438 td->adin, td->adinlen))
441 /* DRBG should now require a reseed */
442 if (dctx->status != DRBG_STATUS_RESEED)
444 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
449 /* Generate again and check entropy has been requested for reseed */
451 if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
452 td->adin, td->adinlen))
456 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
460 FIPS_drbg_uninstantiate(dctx);
461 p = (unsigned char *)&dctx->d;
462 /* Standard says we have to check uninstantiate really zeroes
465 for (i = 0; i < sizeof(dctx->d); i++)
469 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
478 /* A real error as opposed to an induced one: underlying function will
479 * indicate the error.
481 if (!(dctx->flags & DRBG_FLAG_NOERR))
482 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_FUNCTION_ERROR);
483 FIPS_drbg_uninstantiate(dctx);
489 int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
492 DRBG_SELFTEST_DATA *td;
493 for (td = drbg_test; td->nid != 0; td++)
495 if (td->nid == nid && td->flags == flags)
497 rv = fips_drbg_single_kat(dctx, td);
500 return fips_drbg_health_check(dctx, td);
506 int FIPS_selftest_drbg(void)
509 DRBG_SELFTEST_DATA *td;
511 dctx = FIPS_drbg_new(0, 0);
514 for (td = drbg_test; td->nid != 0; td++)
516 if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
518 if (!fips_drbg_single_kat(dctx, td))
520 fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
524 if (!fips_drbg_health_check(dctx, td))
526 fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
530 if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
533 FIPS_drbg_free(dctx);