Fix warnings.
Instantiate DRBGs at maximum strength.
Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
+ *) Extensive self tests and health checking required by SP800-90 DRBG.
+ Remove strength parameter from FIPS_drbg_instantiate and always
+ instantiate at maximum supported strength.
+ [Steve Henson]
+
*) Add SRP support.
[Tom Wu <tjw@cs.stanford.edu> and Ben Laurie]
{ERR_FUNC(FIPS_F_FIPS_CIPHERINIT), "FIPS_CIPHERINIT"},
{ERR_FUNC(FIPS_F_FIPS_DIGESTINIT), "FIPS_DIGESTINIT"},
{ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"},
+{ERR_FUNC(FIPS_F_FIPS_DRBG_HEALTH_CHECK), "FIPS_DRBG_HEALTH_CHECK"},
{ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"},
{ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"},
{ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"},
{ERR_REASON(FIPS_R_CANNOT_READ_EXE) ,"cannot read exe"},
{ERR_REASON(FIPS_R_CANNOT_READ_EXE_DIGEST),"cannot read exe digest"},
{ERR_REASON(FIPS_R_CONTRADICTING_EVIDENCE),"contradicting evidence"},
+{ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED),"entropy error undetected"},
+{ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED),"entropy not requested for reseed"},
{ERR_REASON(FIPS_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},
{ERR_REASON(FIPS_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},
{ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY),"error retrieving entropy"},
{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING),"fingerprint does not match segment aliasing"},
{ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET),"fips mode already set"},
{ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED) ,"fips selftest failed"},
+{ERR_REASON(FIPS_R_FUNCTION_ERROR) ,"function error"},
{ERR_REASON(FIPS_R_GENERATE_ERROR) ,"generate error"},
+{ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED),"generate error undetected"},
{ERR_REASON(FIPS_R_INSTANTIATE_ERROR) ,"instantiate error"},
{ERR_REASON(FIPS_R_INSUFFICIENT_SECURITY_STRENGTH),"insufficient security strength"},
{ERR_REASON(FIPS_R_INVALID_KEY_LENGTH) ,"invalid key length"},
{ERR_REASON(FIPS_R_NON_FIPS_METHOD) ,"non fips method"},
{ERR_REASON(FIPS_R_NOT_INSTANTIATED) ,"not instantiated"},
{ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED) ,"pairwise test failed"},
+{ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED),"personalisation error undetected"},
{ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG),"personalisation string too long"},
+{ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED),"request length error undetected"},
{ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG),"request too large for drbg"},
+{ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR) ,"reseed counter error"},
{ERR_REASON(FIPS_R_RESEED_ERROR) ,"reseed error"},
{ERR_REASON(FIPS_R_RSA_DECRYPT_ERROR) ,"rsa decrypt error"},
{ERR_REASON(FIPS_R_RSA_ENCRYPT_ERROR) ,"rsa encrypt error"},
{ERR_REASON(FIPS_R_SELFTEST_FAILED) ,"selftest failed"},
+{ERR_REASON(FIPS_R_STRENGTH_ERROR_UNDETECTED),"strength error undetected"},
{ERR_REASON(FIPS_R_TEST_FAILURE) ,"test failure"},
+{ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR),"uninstantiate zeroise error"},
{ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE),"unsupported drbg type"},
{ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM) ,"unsupported platform"},
{0,NULL}
int argn = argc - 1;
FILE *in, *out;
char buf[2048], lbuf[2048];
- unsigned char *rhash;
+ unsigned char *rhash = NULL;
long rhashlen;
BIGNUM *cx = NULL, *cy = NULL;
BIGNUM *id = NULL, *ix = NULL, *iy = NULL;
int main(int argc, char **argv)
{
- FILE *in, *out;
+ FILE *in = NULL, *out = NULL;
const char *cmd = argv[1];
int rv = 0;
fips_set_error_print();
#define FIPS_F_FIPS_CIPHERINIT 128
#define FIPS_F_FIPS_DIGESTINIT 127
#define FIPS_F_FIPS_DRBG_GENERATE 132
+#define FIPS_F_FIPS_DRBG_HEALTH_CHECK 137
#define FIPS_F_FIPS_DRBG_INIT 136
#define FIPS_F_FIPS_DRBG_INSTANTIATE 133
#define FIPS_F_FIPS_DRBG_NEW 134
#define FIPS_R_CANNOT_READ_EXE 103
#define FIPS_R_CANNOT_READ_EXE_DIGEST 104
#define FIPS_R_CONTRADICTING_EVIDENCE 114
+#define FIPS_R_ENTROPY_ERROR_UNDETECTED 133
+#define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 134
#define FIPS_R_ERROR_INITIALISING_DRBG 120
#define FIPS_R_ERROR_INSTANTIATING_DRBG 121
#define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112
#define FIPS_R_FIPS_MODE_ALREADY_SET 102
#define FIPS_R_FIPS_SELFTEST_FAILED 106
+#define FIPS_R_FUNCTION_ERROR 135
#define FIPS_R_GENERATE_ERROR 124
+#define FIPS_R_GENERATE_ERROR_UNDETECTED 136
#define FIPS_R_INSTANTIATE_ERROR 125
#define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 132
#define FIPS_R_INVALID_KEY_LENGTH 109
#define FIPS_R_NON_FIPS_METHOD 100
#define FIPS_R_NOT_INSTANTIATED 127
#define FIPS_R_PAIRWISE_TEST_FAILED 107
+#define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 137
#define FIPS_R_PERSONALISATION_STRING_TOO_LONG 128
+#define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 138
#define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 129
+#define FIPS_R_RESEED_COUNTER_ERROR 139
#define FIPS_R_RESEED_ERROR 130
#define FIPS_R_RSA_DECRYPT_ERROR 115
#define FIPS_R_RSA_ENCRYPT_ERROR 116
#define FIPS_R_SELFTEST_FAILED 101
+#define FIPS_R_STRENGTH_ERROR_UNDETECTED 140
#define FIPS_R_TEST_FAILURE 117
+#define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 141
#define FIPS_R_UNSUPPORTED_DRBG_TYPE 131
#define FIPS_R_UNSUPPORTED_PLATFORM 113
static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
{
- OPENSSL_cleanse(&dctx->d.ctr, sizeof(DRBG_CTR_CTX));
+ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
return 1;
}
dctx->generate = drbg_ctr_generate;
dctx->uninstantiate = drbg_ctr_uninstantiate;
-
cctx->keylen = keylen;
dctx->strength = keylen * 8;
dctx->blocklength = 16;
}
dctx->max_request = 1<<19;
- dctx->reseed_counter = DRBG_MAX_LENGTH;
+ dctx->reseed_interval = 1<<24;
return 1;
}
dctx->max_adin = DRBG_MAX_LENGTH;
dctx->max_request = 1<<19;
+ dctx->reseed_interval = 1<<24;
return 1;
}
}
int FIPS_drbg_instantiate(DRBG_CTX *dctx,
- int strength,
const unsigned char *pers, size_t perslen)
{
size_t entlen, noncelen;
goto end;
}
- if (strength > dctx->strength)
- {
- r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
- goto end;
- }
-
dctx->status = DRBG_STATUS_ERROR;
entlen = dctx->get_entropy(dctx, dctx->entropy, dctx->strength,
dctx->status = DRBG_STATUS_READY;
dctx->reseed_counter = 1;
- /* Initial test value for reseed interval */
- dctx->reseed_interval = 1<<24;
end:
if (dctx->status == DRBG_STATUS_READY)
return 1;
- if (r && !(dctx->flags & DRBG_FLAG_TEST))
+ if (r && !(dctx->flags & DRBG_FLAG_NOERR))
FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
return 0;
if (dctx->status == DRBG_STATUS_READY)
return 1;
- if (r && !(dctx->flags & DRBG_FLAG_TEST))
+ if (r && !(dctx->flags & DRBG_FLAG_NOERR))
FIPSerr(FIPS_F_FIPS_DRBG_RESEED, r);
return 0;
dctx->status = DRBG_STATUS_ERROR;
goto end;
}
- if (dctx->reseed_counter > dctx->reseed_interval)
+ if (dctx->reseed_counter >= dctx->reseed_interval)
dctx->status = DRBG_STATUS_RESEED;
else
dctx->reseed_counter++;
end:
if (r)
{
- if (!(dctx->flags & DRBG_FLAG_TEST))
+ if (!(dctx->flags & DRBG_FLAG_NOERR))
FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
return 0;
}
int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
{
- int save_type, save_flags, rv;
- save_type = dctx->type;
- save_flags = dctx->flags;
+ int rv;
+ if (!dctx->uninstantiate)
+ return 1;
rv = dctx->uninstantiate(dctx);
- OPENSSL_cleanse(dctx, sizeof(DRBG_CTX));
+ /* Although we'd like to cleanse here we can't because we have to
+ * test the uninstantiate really zeroes the data.
+ */
+ memset(dctx, 0, sizeof(DRBG_CTX));
/* If method has problems uninstantiating, return error */
return rv;
}
{
const unsigned char *ent;
size_t entlen;
+ int entcnt;
const unsigned char *nonce;
size_t noncelen;
+ int noncecnt;
} TEST_ENT;
static size_t test_entropy(DRBG_CTX *dctx, unsigned char *out,
{
TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
memcpy(out, t->ent, t->entlen);
+ t->entcnt++;
return t->entlen;
}
{
TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
memcpy(out, t->nonce, t->noncelen);
+ t->noncecnt++;
return t->noncelen;
}
t.entlen = td->entlen;
t.nonce = td->nonce;
t.noncelen = td->noncelen;
+ t.entcnt = 0;
+ t.noncecnt = 0;
- if (!FIPS_drbg_instantiate(dctx, 0, td->pers, td->perslen))
+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
goto err;
t.ent = td->entpr;
return rv;
}
+/* This is the "health check" function required by SP800-90. Induce several
+ * failure modes and check an error condition is set.
+ */
+
+static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
+ {
+ unsigned char randout[1024];
+ TEST_ENT t;
+ size_t i;
+ unsigned char *p = (unsigned char *)dctx;
+
+ /* Initialise DRBG */
+
+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
+ goto err;
+
+ if (!FIPS_drbg_set_test_mode(dctx, test_entropy, test_nonce))
+ goto err;
+
+ FIPS_drbg_set_app_data(dctx, &t);
+
+ t.ent = td->ent;
+ t.entlen = td->entlen;
+ t.nonce = td->nonce;
+ t.noncelen = td->noncelen;
+ t.entcnt = 0;
+ t.noncecnt = 0;
+
+ /* Don't report induced errors */
+ dctx->flags |= DRBG_FLAG_NOERR;
+
+ /* Try too large a personalisation length */
+ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0)
+ {
+ FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Test entropy source failure detection */
+
+ t.entlen = 0;
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
+ {
+ FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Try to generate output from uninstantiated DRBG */
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+ td->adin, td->adinlen))
+ {
+ FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_GENERATE_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Instantiate with valid data. NB: errors now reported again */
+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
+ goto err;
+ if (!FIPS_drbg_set_test_mode(dctx, test_entropy, test_nonce))
+ goto err;
+ FIPS_drbg_set_app_data(dctx, &t);
+
+ t.entlen = td->entlen;
+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
+ goto err;
+
+ /* Check generation is now OK */
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+ td->adin, td->adinlen))
+ goto err;
+
+ /* Try to generate with too high a strength.
+ */
+
+ dctx->flags |= DRBG_FLAG_NOERR;
+ if (dctx->strength != 256)
+ {
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 256, 0,
+ td->adin, td->adinlen))
+ {
+ FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_STRENGTH_ERROR_UNDETECTED);
+
+ goto err;
+ }
+ }
+
+ /* Request too much data for one request */
+ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, 0,
+ td->adin, td->adinlen))
+ {
+ FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Check prediction resistance request fails if entropy source
+ * failure.
+ */
+
+ t.entlen = 0;
+
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
+ td->adin, td->adinlen))
+ {
+ FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+
+ /* Instantiate again with valid data */
+
+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
+ goto err;
+ if (!FIPS_drbg_set_test_mode(dctx, test_entropy, test_nonce))
+ goto err;
+ FIPS_drbg_set_app_data(dctx, &t);
+
+ t.entlen = td->entlen;
+ /* Test reseeding works */
+ dctx->reseed_interval = 2;
+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
+ goto err;
+
+ /* Check generation is now OK */
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+ td->adin, td->adinlen))
+ goto err;
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+ td->adin, td->adinlen))
+ goto err;
+
+ /* DRBG should now require a reseed */
+ if (dctx->status != DRBG_STATUS_RESEED)
+ {
+ FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
+ goto err;
+ }
+
+
+ /* Generate again and check entropy has been requested for reseed */
+ t.entcnt = 0;
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
+ td->adin, td->adinlen))
+ goto err;
+ if (t.entcnt != 1)
+ {
+ FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
+ goto err;
+ }
+
+ FIPS_drbg_uninstantiate(dctx);
+ p = (unsigned char *)dctx;
+ /* Standard says we have to check uninstantiate really zeroes
+ * the data...
+ */
+ for (i = 0; i < sizeof(DRBG_CTX); i++)
+ {
+ if (*p != 0)
+ {
+ FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
+ goto err;
+ }
+ p++;
+ }
+
+ return 1;
+
+ err:
+ /* A real error as opposed to an induced one: underlying function will
+ * indicate the error.
+ */
+ if (!(dctx->flags & DRBG_FLAG_NOERR))
+ FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_FUNCTION_ERROR);
+ FIPS_drbg_uninstantiate(dctx);
+ return 0;
+
+ }
+
+
int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
{
+ int rv;
DRBG_SELFTEST_DATA *td;
for (td = drbg_test; td->nid != 0; td++)
{
if (td->nid == nid && td->flags == flags)
- return fips_drbg_single_kat(dctx, td);
+ {
+ rv = fips_drbg_single_kat(dctx, td);
+ if (rv <= 0)
+ return rv;
+ return fips_drbg_health_check(dctx, td);
+ }
}
return 0;
}
if (!dctx)
return 0;
for (td = drbg_test; td->nid != 0; td++)
+ {
if (!fips_drbg_single_kat(dctx, td))
break;
+ if (!fips_drbg_health_check(dctx, td))
+ break;
+ }
if (td->nid == 0)
return 1;
return 0;
int main(int argc,char **argv)
{
FILE *in, *out;
- DRBG_CTX *dctx;
+ DRBG_CTX *dctx = NULL;
TEST_ENT t;
- int r, nid;
+ int r, nid = 0;
int pr = 0;
char buf[2048], lbuf[2048];
unsigned char randout[2048];
unsigned char *ent = NULL, *nonce = NULL, *pers = NULL, *adin = NULL;
long entlen, noncelen, perslen, adinlen;
- int df;
+ int df = 0;
int randoutlen = 0;
FIPS_drbg_set_test_mode(dctx, test_entropy, test_nonce);
FIPS_drbg_set_app_data(dctx, &t);
randoutlen = (int)FIPS_drbg_get_blocklength(dctx);
- r = FIPS_drbg_instantiate(dctx, 0, pers, perslen);
+ r = FIPS_drbg_instantiate(dctx, pers, perslen);
if (!r)
{
fprintf(stderr, "Error instantiating DRBG\n");
DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
-int FIPS_drbg_instantiate(DRBG_CTX *dctx, int strength,
+int FIPS_drbg_instantiate(DRBG_CTX *dctx,
const unsigned char *pers, size_t perslen);
int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
/* PRNG is in test state */
#define DRBG_FLAG_TEST 0x2
+/* Functions shouldn't call err library */
+#define DRBG_FLAG_NOERR 0x4
/* DRBG status values */
/* not initialised */
/* A default maximum length: larger than any reasonable value used in pratice */
-#define DRBG_MAX_LENGTH 0x7fffffff
+#define DRBG_MAX_LENGTH 0x7ffffff0
/* DRBG context structure */
projects / openssl.git / commitdiff