2
0

fips_drbg_selftest.c 30 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055
  1. /* fips/rand/fips_drbg_selftest.c */
  2. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  3. * project.
  4. */
  5. /* ====================================================================
  6. * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
  7. *
  8. * Redistribution and use in source and binary forms, with or without
  9. * modification, are permitted provided that the following conditions
  10. * are met:
  11. *
  12. * 1. Redistributions of source code must retain the above copyright
  13. * notice, this list of conditions and the following disclaimer.
  14. *
  15. * 2. Redistributions in binary form must reproduce the above copyright
  16. * notice, this list of conditions and the following disclaimer in
  17. * the documentation and/or other materials provided with the
  18. * distribution.
  19. *
  20. * 3. All advertising materials mentioning features or use of this
  21. * software must display the following acknowledgment:
  22. * "This product includes software developed by the OpenSSL Project
  23. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24. *
  25. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26. * endorse or promote products derived from this software without
  27. * prior written permission. For written permission, please contact
  28. * licensing@OpenSSL.org.
  29. *
  30. * 5. Products derived from this software may not be called "OpenSSL"
  31. * nor may "OpenSSL" appear in their names without prior written
  32. * permission of the OpenSSL Project.
  33. *
  34. * 6. Redistributions of any form whatsoever must retain the following
  35. * acknowledgment:
  36. * "This product includes software developed by the OpenSSL Project
  37. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38. *
  39. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50. * OF THE POSSIBILITY OF SUCH DAMAGE.
  51. * ====================================================================
  52. */
  53. #define OPENSSL_FIPSAPI
  54. #include <string.h>
  55. #include <openssl/crypto.h>
  56. #include <openssl/evp.h>
  57. #include <openssl/aes.h>
  58. #include <openssl/err.h>
  59. #include <openssl/fips_rand.h>
  60. #include "fips_rand_lcl.h"
  61. #include "fips_locl.h"
  62. typedef struct {
  63. int nid;
  64. unsigned int flags;
  65. const unsigned char *ent;
  66. size_t entlen;
  67. const unsigned char *nonce;
  68. size_t noncelen;
  69. const unsigned char *pers;
  70. size_t perslen;
  71. const unsigned char *adin;
  72. size_t adinlen;
  73. const unsigned char *entpr;
  74. size_t entprlen;
  75. const unsigned char *ading;
  76. size_t adinglen;
  77. const unsigned char *entg;
  78. size_t entglen;
  79. const unsigned char *kat;
  80. size_t katlen;
  81. } DRBG_SELFTEST_DATA;
  82. #define make_drbg_test_data(nid, flag, pr) { nid, flag | DRBG_FLAG_TEST, \
  83. pr##_entropyinput, sizeof(pr##_entropyinput), \
  84. pr##_nonce, sizeof(pr##_nonce), \
  85. pr##_personalizationstring, sizeof(pr##_personalizationstring), \
  86. pr##_additionalinput, sizeof(pr##_additionalinput), \
  87. pr##_entropyinputpr, sizeof(pr##_entropyinputpr), \
  88. pr##_additionalinput2, sizeof(pr##_additionalinput2), \
  89. pr##_entropyinputpr2, sizeof(pr##_entropyinputpr2), \
  90. pr##_returnedbits, sizeof(pr##_returnedbits), \
  91. }
  92. #define make_drbg_test_data_df(nid, pr) \
  93. make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr)
  94. /* AES-128 use df PR */
  95. static const unsigned char aes_128_use_df_entropyinput[] =
  96. {
  97. 0x98,0x38,0x99,0x81,0x1d,0x56,0x1a,0x04,0xb0,0x50,0xcd,0x14,
  98. 0xc3,0x90,0x0b,0x4f
  99. };
  100. static const unsigned char aes_128_use_df_nonce[] =
  101. {
  102. 0xa8,0xa0,0x80,0x8a,0x65,0xb7,0x38,0x22
  103. };
  104. static const unsigned char aes_128_use_df_personalizationstring[] =
  105. {
  106. 0x67,0x4f,0x85,0x01,0x15,0x51,0x85,0xdd,0x97,0xda,0xf7,0x09,
  107. 0xbc,0x61,0xaf,0x23
  108. };
  109. static const unsigned char aes_128_use_df_additionalinput[] =
  110. {
  111. 0x01,0xba,0xa8,0x13,0x9e,0xd4,0xb7,0xff,0x86,0x34,0x01,0xa0,
  112. 0xb6,0x17,0x96,0x55
  113. };
  114. static const unsigned char aes_128_use_df_entropyinputpr[] =
  115. {
  116. 0x60,0x76,0xf6,0x12,0x6b,0x92,0xbe,0xd7,0x75,0x6e,0x78,0x1f,
  117. 0x0d,0xc1,0x0d,0x56
  118. };
  119. static const unsigned char aes_128_use_df_additionalinput2[] =
  120. {
  121. 0xf0,0xd6,0x5b,0xa3,0x7c,0x1e,0xa3,0x65,0x08,0xf9,0xdd,0x90,
  122. 0xde,0x5f,0xb4,0x27
  123. };
  124. static const unsigned char aes_128_use_df_entropyinputpr2[] =
  125. {
  126. 0x34,0x55,0x02,0xa9,0x30,0xf0,0x78,0x0a,0xa2,0xae,0x74,0x46,
  127. 0xe5,0xad,0xbb,0xd6
  128. };
  129. static const unsigned char aes_128_use_df_returnedbits[] =
  130. {
  131. 0x48,0x52,0xb6,0x9f,0xf2,0xfe,0xe1,0x12,0xaf,0x22,0x87,0xd7,
  132. 0x46,0x64,0x96,0xec
  133. };
  134. /* AES-192 use df PR */
  135. static const unsigned char aes_192_use_df_entropyinput[] =
  136. {
  137. 0x12,0xf6,0xff,0xc5,0x81,0x8c,0x15,0xd7,0x33,0x0c,0x4f,0x45,
  138. 0xbf,0x2a,0x97,0xd2,0xe0,0xe0,0xbd,0x48,0x4e,0x83,0x76,0x25
  139. };
  140. static const unsigned char aes_192_use_df_nonce[] =
  141. {
  142. 0x35,0xc8,0x16,0x8c,0xbd,0x1f,0x53,0xc4,0x6e,0x47,0x3a,0x74,
  143. 0x83,0xe6,0xe4,0x78
  144. };
  145. static const unsigned char aes_192_use_df_personalizationstring[] =
  146. {
  147. 0xd6,0xe2,0x27,0x88,0xf4,0xce,0x9d,0xfc,0x92,0xde,0x07,0x57,
  148. 0x43,0x74,0x17,0x6e,0x63,0x54,0xaf,0x5a,0x3c,0xf8,0x23,0x65,
  149. 0x5a,0x15,0xb0,0x35,0x2a,0x6c,0x3c,0x3a
  150. };
  151. static const unsigned char aes_192_use_df_additionalinput[] =
  152. {
  153. 0xad,0xa4,0x47,0xa4,0xcf,0x46,0x7b,0xf7,0x19,0xcc,0xda,0xbe,
  154. 0x11,0x42,0x85,0xaa,0x21,0x16,0x27,0xe6,0x35,0xdf,0xb5,0x87,
  155. 0x96,0x68,0x64,0x35,0x08,0x02,0xe9,0x19
  156. };
  157. static const unsigned char aes_192_use_df_entropyinputpr[] =
  158. {
  159. 0x6f,0x41,0x2d,0x5e,0xd6,0xc9,0xf8,0x6a,0x22,0x00,0xe0,0xfb,
  160. 0x4b,0xcd,0xbe,0x2d,0x98,0xff,0x1b,0xe2,0xb9,0x95,0x73,0xac
  161. };
  162. static const unsigned char aes_192_use_df_additionalinput2[] =
  163. {
  164. 0x51,0xea,0xd8,0x8e,0xa0,0xd7,0x9c,0x22,0x3c,0x01,0xf6,0xdb,
  165. 0xe9,0xe4,0x60,0x1e,0x54,0x56,0x3b,0x5c,0xd2,0xf3,0xa0,0x1d,
  166. 0x5c,0xd0,0x85,0x48,0xc9,0x5f,0x12,0xb7
  167. };
  168. static const unsigned char aes_192_use_df_entropyinputpr2[] =
  169. {
  170. 0xf7,0x1f,0x9f,0x0e,0x14,0x30,0xde,0x4c,0xf9,0x34,0x49,0xc5,
  171. 0x24,0x91,0xe3,0x30,0xfd,0x5f,0x1e,0x79,0x30,0xf5,0x58,0xe6
  172. };
  173. static const unsigned char aes_192_use_df_returnedbits[] =
  174. {
  175. 0x5b,0x8a,0xca,0x2e,0x74,0xb6,0x6f,0x96,0x48,0xb0,0xe4,0xc1,
  176. 0x68,0x40,0xac,0xc7
  177. };
  178. /* AES-256 use df PR */
  179. static const unsigned char aes_256_use_df_entropyinput[] =
  180. {
  181. 0x2a,0x02,0xbe,0xaa,0xba,0xb4,0x6a,0x73,0x53,0x85,0xa9,0x2a,
  182. 0xae,0x4a,0xdc,0xeb,0xe8,0x07,0xfb,0xf3,0xbc,0xe3,0xf4,0x2e,
  183. 0x00,0x53,0x46,0x00,0x64,0x80,0xdd,0x57
  184. };
  185. static const unsigned char aes_256_use_df_nonce[] =
  186. {
  187. 0x2c,0x86,0xa2,0xf9,0x70,0xb5,0xca,0xd3,0x9a,0x08,0xdc,0xb6,
  188. 0x6b,0xce,0xe5,0x05
  189. };
  190. static const unsigned char aes_256_use_df_personalizationstring[] =
  191. {
  192. 0xdb,0x6c,0xe1,0x84,0xbe,0x07,0xae,0x55,0x4e,0x34,0x5d,0xb8,
  193. 0x47,0x98,0x85,0xe0,0x3d,0x3e,0x9f,0x60,0xfa,0x1c,0x7d,0x57,
  194. 0x19,0xe5,0x09,0xdc,0xe2,0x10,0x41,0xab
  195. };
  196. static const unsigned char aes_256_use_df_additionalinput[] =
  197. {
  198. 0x1d,0xc3,0x11,0x93,0xcb,0xc4,0xf6,0xbb,0x57,0xb0,0x09,0x70,
  199. 0xb9,0xc6,0x05,0x86,0x4e,0x75,0x95,0x7d,0x3d,0xec,0xce,0xb4,
  200. 0x0b,0xe4,0xef,0xd1,0x7b,0xab,0x56,0x6f
  201. };
  202. static const unsigned char aes_256_use_df_entropyinputpr[] =
  203. {
  204. 0x8f,0xb9,0xab,0xf9,0x33,0xcc,0xbe,0xc6,0xbd,0x8b,0x61,0x5a,
  205. 0xec,0xc6,0x4a,0x5b,0x03,0x21,0xe7,0x37,0x03,0x02,0xbc,0xa5,
  206. 0x28,0xb9,0xfe,0x7a,0xa8,0xef,0x6f,0xb0
  207. };
  208. static const unsigned char aes_256_use_df_additionalinput2[] =
  209. {
  210. 0xd6,0x98,0x63,0x48,0x94,0x9f,0x26,0xf7,0x1f,0x44,0x13,0x23,
  211. 0xa7,0xde,0x09,0x12,0x90,0x04,0xce,0xbc,0xac,0x82,0x70,0x58,
  212. 0xba,0x7d,0xdc,0x25,0x1e,0xe4,0xbf,0x7c
  213. };
  214. static const unsigned char aes_256_use_df_entropyinputpr2[] =
  215. {
  216. 0xe5,0x04,0xef,0x7c,0x8d,0x02,0xd7,0x68,0x95,0x4c,0x64,0x34,
  217. 0x30,0x3a,0xcb,0x07,0xc9,0x0a,0xef,0x26,0xc6,0x57,0x43,0xfb,
  218. 0x7d,0xbe,0xe2,0x61,0x75,0xcd,0xee,0x34
  219. };
  220. static const unsigned char aes_256_use_df_returnedbits[] =
  221. {
  222. 0x75,0x6d,0x16,0xef,0x14,0xae,0xd9,0xc2,0x28,0x0b,0x66,0xff,
  223. 0x20,0x1f,0x21,0x33
  224. };
  225. /* AES-128 no df PR */
  226. static const unsigned char aes_128_no_df_entropyinput[] =
  227. {
  228. 0xbe,0x91,0xb9,0x09,0x91,0x13,0x0b,0xbd,0x7b,0x95,0x77,0xed,
  229. 0xf2,0x00,0xff,0x2a,0xec,0xbd,0x7a,0x11,0x59,0xe1,0x32,0x1a,
  230. 0xe3,0x9a,0xbd,0xa2,0xe4,0xd9,0x1a,0x39
  231. };
  232. static const unsigned char aes_128_no_df_nonce[] =
  233. {
  234. 0x39,0xeb,0x7a,0x42,0x0b,0x7f,0x4f,0xd5
  235. };
  236. static const unsigned char aes_128_no_df_personalizationstring[] =
  237. {
  238. 0xd0,0xe4,0x9c,0xf6,0x2f,0xc8,0xba,0x6d,0xb9,0x91,0x8f,0xc1,
  239. 0x45,0x5b,0xb9,0x4f,0xdb,0x36,0xd6,0x71,0x2c,0x4b,0x2a,0x4c,
  240. 0x50,0x4c,0x74,0xdb,0xc5,0x20,0x0b,0x3b
  241. };
  242. static const unsigned char aes_128_no_df_additionalinput[] =
  243. {
  244. 0x7c,0x35,0x81,0x03,0x58,0x93,0x24,0xf7,0x9c,0x98,0x4a,0x9d,
  245. 0x94,0xbd,0x9d,0x77,0x64,0xda,0xa4,0x67,0x66,0xb7,0x43,0xde,
  246. 0xc5,0xd5,0x72,0x42,0x5a,0x7c,0x41,0x9f
  247. };
  248. static const unsigned char aes_128_no_df_entropyinputpr[] =
  249. {
  250. 0x63,0xf6,0x0e,0xfe,0x56,0xad,0x8f,0x37,0xa8,0xa1,0x6a,0x83,
  251. 0x01,0xac,0x51,0xe0,0x86,0x26,0xce,0x5c,0x57,0x14,0xd8,0xde,
  252. 0x4d,0x93,0xb6,0x35,0xf4,0x85,0x18,0x60
  253. };
  254. static const unsigned char aes_128_no_df_additionalinput2[] =
  255. {
  256. 0x90,0x0f,0x35,0x81,0xc5,0xf5,0xc8,0x1b,0x80,0x99,0xcd,0xe2,
  257. 0xbb,0xe2,0xc7,0x65,0x40,0x74,0x50,0x2b,0x89,0xb4,0x16,0x60,
  258. 0xd7,0x1e,0x15,0xbf,0x91,0xc9,0x15,0xc2
  259. };
  260. static const unsigned char aes_128_no_df_entropyinputpr2[] =
  261. {
  262. 0xc7,0x9f,0xd6,0x9b,0xe2,0x74,0x3e,0x8c,0x12,0xdd,0x41,0xcd,
  263. 0x51,0x6b,0xd4,0x71,0x3e,0xd0,0x36,0xc7,0xb9,0xa6,0xaf,0xca,
  264. 0xc0,0x7e,0x89,0xc4,0x88,0x2b,0x4e,0x43
  265. };
  266. static const unsigned char aes_128_no_df_returnedbits[] =
  267. {
  268. 0x8c,0x7f,0x69,0xbf,0xb8,0x07,0x17,0xa6,0x09,0xef,0xd2,0x0a,
  269. 0x5f,0x20,0x18,0x2f
  270. };
  271. /* AES-192 no df PR */
  272. static const unsigned char aes_192_no_df_entropyinput[] =
  273. {
  274. 0xd5,0xcb,0x5b,0xc5,0x5b,0xa6,0x97,0xb6,0x1e,0x57,0x92,0xbb,
  275. 0x14,0x72,0xeb,0xae,0x44,0x85,0x99,0xa3,0xa3,0x24,0xe5,0x91,
  276. 0x2e,0x34,0xa7,0x3f,0x48,0x7a,0xc4,0x72,0x54,0x65,0xe6,0x57,
  277. 0x94,0x1a,0x7c,0x2d
  278. };
  279. static const unsigned char aes_192_no_df_nonce[] =
  280. {
  281. 0x74,0x7a,0x38,0x81,0xef,0xca,0xd1,0xb6,0x7b,0xb5,0x1e,0x62,
  282. 0xf9,0x80,0x2c,0xe5
  283. };
  284. static const unsigned char aes_192_no_df_personalizationstring[] =
  285. {
  286. 0x03,0xf8,0xbe,0xe8,0x6a,0x90,0x2a,0x4f,0xbd,0x80,0xd0,0x31,
  287. 0xf0,0x59,0xa3,0xf6,0x87,0xd8,0x8d,0x0d,0xac,0x27,0xa2,0xd2,
  288. 0x91,0x72,0xa5,0xc1,0x07,0xac,0xbf,0xdb,0x5d,0xa1,0x7d,0x56,
  289. 0x7d,0x3f,0x09,0x8b
  290. };
  291. static const unsigned char aes_192_no_df_additionalinput[] =
  292. {
  293. 0x3e,0x89,0x1b,0x17,0xcb,0xe3,0xc8,0x76,0x71,0x0d,0xaf,0x97,
  294. 0x1e,0x73,0xa6,0xc4,0x88,0x3d,0x46,0xad,0xf0,0xba,0xc3,0x7e,
  295. 0x17,0x10,0x0d,0x20,0x80,0x23,0x26,0xcc,0xe6,0xc4,0xc4,0xd8,
  296. 0xfe,0x1d,0x2a,0xbc
  297. };
  298. static const unsigned char aes_192_no_df_entropyinputpr[] =
  299. {
  300. 0x3f,0x33,0xb8,0x1b,0xe1,0x1b,0xe7,0xbe,0x68,0x6f,0xd2,0xd8,
  301. 0x6f,0xb6,0xf0,0xd2,0xa1,0x1c,0x83,0x24,0xfe,0x5d,0xf2,0xe9,
  302. 0x4b,0xf0,0x63,0xa2,0xd8,0x76,0x9e,0x49,0x78,0x64,0x1f,0x98,
  303. 0xbc,0xee,0x7c,0x99
  304. };
  305. static const unsigned char aes_192_no_df_additionalinput2[] =
  306. {
  307. 0x54,0x48,0xf9,0x6a,0x86,0x93,0xf3,0x7b,0x02,0x1b,0xf6,0x46,
  308. 0x3a,0x49,0x02,0x87,0x3f,0x54,0x82,0x7f,0xa1,0x45,0x41,0xa5,
  309. 0x88,0x4b,0xaa,0x90,0x12,0x40,0x46,0x22,0xed,0x7a,0x72,0xf7,
  310. 0x36,0xd5,0x5f,0x0f
  311. };
  312. static const unsigned char aes_192_no_df_entropyinputpr2[] =
  313. {
  314. 0x00,0xdf,0xa1,0x50,0xc1,0xb9,0x82,0x7f,0x65,0xea,0x0f,0x14,
  315. 0x79,0xfe,0x6a,0x95,0x4b,0x96,0xae,0x89,0x28,0x52,0x49,0x05,
  316. 0xd9,0x00,0x9e,0x79,0x5e,0x04,0xdb,0xbb,0xec,0x09,0x16,0x53,
  317. 0x23,0xe9,0xac,0x08
  318. };
  319. static const unsigned char aes_192_no_df_returnedbits[] =
  320. {
  321. 0x48,0xd6,0x66,0x61,0x93,0x8d,0xff,0x7d,0x42,0xf4,0x41,0x9a,
  322. 0x01,0x2a,0x34,0x09
  323. };
  324. /* AES-256 no df PR */
  325. static const unsigned char aes_256_no_df_entropyinput[] =
  326. {
  327. 0x7e,0x83,0x3f,0xa6,0x39,0xdc,0xcb,0x38,0x17,0x6a,0xa3,0x59,
  328. 0xa9,0x8c,0x1f,0x50,0xd3,0xdb,0x34,0xdd,0xa4,0x39,0x65,0xe4,
  329. 0x77,0x17,0x08,0x57,0x49,0x04,0xbd,0x68,0x5c,0x7d,0x2a,0xee,
  330. 0x0c,0xf2,0xfb,0x16,0xef,0x16,0x18,0x4d,0x32,0x6a,0x26,0x6c
  331. };
  332. static const unsigned char aes_256_no_df_nonce[] =
  333. {
  334. 0xa3,0x8a,0xa4,0x6d,0xa6,0xc1,0x40,0xf8,0xa3,0x02,0xf1,0xac,
  335. 0xf3,0xea,0x7f,0x2d
  336. };
  337. static const unsigned char aes_256_no_df_personalizationstring[] =
  338. {
  339. 0xc0,0x54,0x1e,0xa5,0x93,0xd9,0x8b,0x2b,0x43,0x15,0x2c,0x07,
  340. 0x26,0x25,0xc7,0x08,0xf0,0xb3,0x4b,0x44,0x96,0xfe,0xc7,0xc5,
  341. 0x64,0x27,0xaa,0x78,0x5b,0xbc,0x40,0x51,0xce,0x89,0x6b,0xc1,
  342. 0x3f,0x9c,0xa0,0x5c,0x75,0x98,0x24,0xc5,0xe1,0x3e,0x86,0xdb
  343. };
  344. static const unsigned char aes_256_no_df_additionalinput[] =
  345. {
  346. 0x0e,0xe3,0x0f,0x07,0x90,0xe2,0xde,0x20,0xb6,0xf7,0x6f,0xef,
  347. 0x87,0xdc,0x7f,0xc4,0x0d,0x9d,0x05,0x31,0x91,0x87,0x8c,0x9a,
  348. 0x19,0x53,0xd2,0xf8,0x20,0x91,0xa0,0xef,0x97,0x59,0xea,0x12,
  349. 0x1b,0x2f,0x29,0x74,0x76,0x35,0xf7,0x71,0x5a,0x96,0xeb,0xbc
  350. };
  351. static const unsigned char aes_256_no_df_entropyinputpr[] =
  352. {
  353. 0x37,0x26,0x9a,0xa6,0x28,0xe0,0x35,0x78,0x12,0x42,0x44,0x5c,
  354. 0x55,0xbc,0xc8,0xb6,0x1f,0x24,0xf3,0x32,0x88,0x02,0x69,0xa7,
  355. 0xed,0x1d,0xb7,0x4d,0x8b,0x44,0x12,0x21,0x5e,0x60,0x53,0x96,
  356. 0x3b,0xb9,0x31,0x7f,0x2a,0x87,0xbf,0x3c,0x07,0xbb,0x27,0x22
  357. };
  358. static const unsigned char aes_256_no_df_additionalinput2[] =
  359. {
  360. 0xf1,0x24,0x35,0xa6,0x8c,0x93,0x28,0x7e,0x84,0xea,0x3d,0x27,
  361. 0x44,0x18,0xc9,0x13,0x73,0x49,0xb9,0x83,0x79,0x15,0x29,0x53,
  362. 0x2f,0xef,0x43,0x06,0xe7,0xcb,0x5c,0x0f,0x9f,0x10,0x4c,0x60,
  363. 0x7f,0xbf,0x0c,0x37,0x9b,0xe4,0x94,0x26,0xe5,0x3b,0xf5,0x63
  364. };
  365. static const unsigned char aes_256_no_df_entropyinputpr2[] =
  366. {
  367. 0xdc,0x91,0x48,0x11,0x63,0x7b,0x79,0x41,0x36,0x8c,0x4f,0xe2,
  368. 0xc9,0x84,0x04,0x9c,0xdc,0x5b,0x6c,0x8d,0x61,0x52,0xea,0xfa,
  369. 0x92,0x3b,0xb4,0x36,0x4c,0x06,0x4a,0xd1,0xb1,0x8e,0x32,0x03,
  370. 0xfd,0xa4,0xf7,0x5a,0xa6,0x5c,0x63,0xa1,0xb9,0x96,0xfa,0x12
  371. };
  372. static const unsigned char aes_256_no_df_returnedbits[] =
  373. {
  374. 0x1c,0xba,0xfd,0x48,0x0f,0xf4,0x85,0x63,0xd6,0x7d,0x91,0x14,
  375. 0xef,0x67,0x6b,0x7f
  376. };
  377. /* SHA-1 PR */
  378. static const unsigned char sha1_entropyinput[] =
  379. {
  380. 0x5b,0xaf,0x30,0x1a,0xdc,0xd1,0x04,0xd7,0x95,0x72,0xd2,0xfb,
  381. 0xec,0x2d,0x62,0x2b
  382. };
  383. static const unsigned char sha1_nonce[] =
  384. {
  385. 0xf3,0xd9,0xcb,0x92,0x5f,0x50,0x4c,0x99
  386. };
  387. static const unsigned char sha1_personalizationstring[] =
  388. {
  389. 0x8f,0x56,0x70,0xd9,0x27,0xa2,0xb4,0xf1,0xb3,0xad,0xcf,0x10,
  390. 0x06,0x16,0x5c,0x11
  391. };
  392. static const unsigned char sha1_additionalinput[] =
  393. {
  394. 0x49,0xdd,0x0c,0xb4,0xab,0x84,0xe1,0x7e,0x94,0x20,0xad,0x6c,
  395. 0xd7,0xd2,0x0b,0x84
  396. };
  397. static const unsigned char sha1_entropyinputpr[] =
  398. {
  399. 0x23,0x4a,0xaf,0xf7,0x1a,0x0b,0x7e,0x51,0xdd,0x23,0x51,0x82,
  400. 0x2c,0x8c,0xa6,0xc5
  401. };
  402. static const unsigned char sha1_additionalinput2[] =
  403. {
  404. 0x59,0xe6,0x93,0xcb,0x38,0x23,0xf5,0x7b,0x93,0x5a,0x4d,0xfa,
  405. 0x11,0xb8,0x88,0xde
  406. };
  407. static const unsigned char sha1_entropyinputpr2[] =
  408. {
  409. 0x2e,0x00,0x78,0x5a,0xcd,0x30,0xea,0x73,0x37,0x8a,0x0d,0x12,
  410. 0x50,0x28,0x28,0x03
  411. };
  412. static const unsigned char sha1_returnedbits[] =
  413. {
  414. 0xe7,0x87,0x8b,0x01,0xc1,0xd3,0xd8,0x43,0xd4,0x8f,0xcd,0x24,
  415. 0x54,0x67,0xa2,0x6e,0x17,0x94,0x73,0x1c
  416. };
  417. /* SHA-224 PR */
  418. static const unsigned char sha224_entropyinput[] =
  419. {
  420. 0xfc,0x31,0xc1,0x87,0x43,0x07,0xb1,0xe5,0x71,0x48,0x5d,0x0e,
  421. 0xad,0xf8,0x68,0x09,0x6f,0xfe,0x80,0x2a,0xc1,0x12,0xb8,0xa6
  422. };
  423. static const unsigned char sha224_nonce[] =
  424. {
  425. 0xfd,0xba,0x25,0x2e,0xc1,0x7c,0x4e,0xa1,0x4d,0xef,0xeb,0x5d
  426. };
  427. static const unsigned char sha224_personalizationstring[] =
  428. {
  429. 0xc9,0x15,0xe4,0x8c,0x2a,0x4c,0xc9,0xe6,0x23,0x5c,0xb8,0x5a,
  430. 0x97,0x89,0x6a,0x10,0x75,0x68,0x27,0x00,0x0e,0x6f,0x44,0x1e
  431. };
  432. static const unsigned char sha224_additionalinput[] =
  433. {
  434. 0xd3,0xab,0x74,0x74,0xe7,0x80,0x87,0x9e,0x89,0x08,0xbe,0xf1,
  435. 0x99,0x09,0x26,0xa4,0x2b,0x8c,0xb7,0xa0,0xc2,0xcc,0xae,0x0a
  436. };
  437. static const unsigned char sha224_entropyinputpr[] =
  438. {
  439. 0xbd,0xc1,0x21,0x62,0x43,0x19,0x25,0x15,0x19,0xc5,0xcd,0x53,
  440. 0x9e,0xb4,0x17,0xff,0xaa,0x03,0xf6,0x5a,0x4d,0x69,0x28,0x0b
  441. };
  442. static const unsigned char sha224_additionalinput2[] =
  443. {
  444. 0xdb,0xf5,0x57,0xea,0x5b,0xc8,0x0a,0xa9,0x32,0x72,0xcf,0x7d,
  445. 0xa4,0xeb,0x4f,0xbf,0x64,0x5d,0x74,0x04,0x0e,0x4e,0x0f,0xed
  446. };
  447. static const unsigned char sha224_entropyinputpr2[] =
  448. {
  449. 0xab,0xce,0xe1,0xfd,0xaa,0x35,0x5c,0x0a,0xfe,0xd8,0x18,0xac,
  450. 0x92,0x79,0x79,0x53,0xbc,0xb5,0x45,0xf6,0xf9,0x73,0x7f,0x24
  451. };
  452. static const unsigned char sha224_returnedbits[] =
  453. {
  454. 0xb2,0xc2,0x40,0xc4,0x2a,0x25,0x63,0xdb,0x99,0x59,0x7b,0x7b,
  455. 0xee,0xdb,0x51,0x8d,0x18,0x4c,0x09,0x26,0x22,0x1a,0xe9,0x76,
  456. 0x54,0x5f,0xb5,0x28
  457. };
  458. /* SHA-256 PR */
  459. static const unsigned char sha256_entropyinput[] =
  460. {
  461. 0xbc,0x67,0x4e,0x95,0xf1,0xca,0x71,0xdd,0xd3,0x97,0x3a,0x39,
  462. 0x3f,0x3d,0x7f,0xf2,0x99,0x02,0xcf,0x12,0x02,0xea,0xcc,0xf3,
  463. 0xd7,0xe7,0xcc,0x08,0x6c,0x41,0xb1,0xed
  464. };
  465. static const unsigned char sha256_nonce[] =
  466. {
  467. 0x44,0x06,0xa7,0x61,0x15,0x0a,0x6a,0x2d,0xa9,0x18,0x10,0xb5,
  468. 0x6d,0xf0,0xd4,0xf7
  469. };
  470. static const unsigned char sha256_personalizationstring[] =
  471. {
  472. 0x8f,0x39,0xd5,0x6a,0x46,0xde,0xa2,0x57,0xdf,0x39,0xdb,0xca,
  473. 0x13,0xca,0x51,0x0f,0x43,0x2a,0x77,0x3a,0x38,0x7a,0x3b,0x35,
  474. 0x1e,0x13,0x26,0x0e,0xc1,0x6b,0xb6,0x81
  475. };
  476. static const unsigned char sha256_additionalinput[] =
  477. {
  478. 0x95,0x01,0xbe,0x52,0xaa,0xc4,0x32,0x5a,0x3c,0xea,0x57,0xc4,
  479. 0x5c,0xfa,0x25,0x4e,0xc5,0xf3,0xc2,0xa6,0x39,0xce,0x00,0x97,
  480. 0x19,0x50,0x17,0x71,0x44,0x13,0xa5,0xbd
  481. };
  482. static const unsigned char sha256_entropyinputpr[] =
  483. {
  484. 0x8e,0x8a,0x19,0x03,0xa7,0x77,0xaa,0x64,0x4f,0x11,0x45,0x1d,
  485. 0x66,0x74,0x88,0xdf,0x2c,0x9b,0xc3,0xc8,0xbb,0x8c,0x99,0x34,
  486. 0xc6,0xc7,0xdb,0xc1,0x92,0xef,0xa3,0xa3
  487. };
  488. static const unsigned char sha256_additionalinput2[] =
  489. {
  490. 0x2b,0x91,0x7f,0xf3,0x78,0x3f,0x18,0x73,0x7c,0x5f,0xc2,0xda,
  491. 0x1d,0x8c,0xc4,0xcd,0x74,0x4d,0xc1,0x7a,0x6c,0xe2,0x73,0x07,
  492. 0x9d,0x55,0xa8,0x42,0x69,0xc0,0x7c,0x85
  493. };
  494. static const unsigned char sha256_entropyinputpr2[] =
  495. {
  496. 0x4c,0x3f,0xee,0x8b,0x98,0x0e,0x55,0x7e,0xab,0xc3,0xd3,0x0e,
  497. 0x35,0x33,0x72,0x75,0x9f,0x4b,0x87,0xce,0x05,0xbe,0xd4,0x6b,
  498. 0x70,0xec,0xdb,0x5a,0x57,0x14,0x83,0x34
  499. };
  500. static const unsigned char sha256_returnedbits[] =
  501. {
  502. 0xa5,0x2c,0xab,0x93,0x63,0x57,0x5d,0x60,0x80,0x4c,0x71,0xbb,
  503. 0xc2,0x3d,0x43,0x13,0xd8,0xe1,0x60,0x63,0x5e,0xf8,0xb1,0x4c,
  504. 0x93,0x06,0x86,0x9e,0x03,0x0a,0x16,0x75
  505. };
  506. /* SHA-384 PR */
  507. static const unsigned char sha384_entropyinput[] =
  508. {
  509. 0xad,0x6c,0xfb,0xdd,0x40,0xd9,0xf1,0x0a,0xc6,0xe4,0x28,0xf9,
  510. 0x8c,0xb1,0x66,0xce,0x7e,0x7f,0xbb,0xea,0xcd,0x79,0x3d,0x54,
  511. 0xc6,0xc0,0x07,0x68,0xf0,0xb7,0x73,0xc5
  512. };
  513. static const unsigned char sha384_nonce[] =
  514. {
  515. 0xfb,0xe1,0xb2,0x81,0x77,0xb0,0x14,0x94,0xae,0xbb,0x8d,0x01,
  516. 0xfb,0x74,0xc9,0xa1
  517. };
  518. static const unsigned char sha384_personalizationstring[] =
  519. {
  520. 0x02,0x8e,0xa9,0xc2,0x7e,0x0e,0x78,0xea,0x29,0xca,0x19,0xd4,
  521. 0x58,0x89,0x71,0x45,0x18,0xd9,0x1f,0xc0,0x8f,0x92,0x02,0xb8,
  522. 0x90,0xa7,0xec,0xf6,0x7f,0x33,0xa6,0x47
  523. };
  524. static const unsigned char sha384_additionalinput[] =
  525. {
  526. 0x98,0x0e,0xe3,0x3c,0x8e,0x6b,0x82,0xc0,0x56,0xd0,0x93,0x14,
  527. 0x6a,0x79,0xa8,0xec,0x09,0xb7,0x49,0x01,0x71,0xdb,0x58,0x97,
  528. 0x5a,0x61,0xa5,0x4e,0xb4,0x5f,0xce,0x2b
  529. };
  530. static const unsigned char sha384_entropyinputpr[] =
  531. {
  532. 0x50,0xef,0xaa,0x65,0x95,0x0d,0x4f,0x97,0x3e,0x57,0x59,0x48,
  533. 0xf9,0x4e,0xee,0x51,0xf8,0x46,0xec,0x4c,0x2d,0x55,0x47,0x23,
  534. 0xc5,0x7b,0xa3,0xda,0xe5,0x12,0x34,0x9a
  535. };
  536. static const unsigned char sha384_additionalinput2[] =
  537. {
  538. 0x1c,0xcd,0xe0,0xc1,0x15,0xd4,0x7f,0xfa,0x9e,0x16,0xe7,0x6d,
  539. 0x22,0x55,0xfd,0x34,0x3f,0xec,0x1d,0x40,0x9e,0xdd,0x15,0x07,
  540. 0x13,0x1c,0x65,0x6e,0xf7,0x1c,0xb6,0xf8
  541. };
  542. static const unsigned char sha384_entropyinputpr2[] =
  543. {
  544. 0xa0,0x8b,0x48,0xdc,0x7b,0x74,0x54,0xd0,0x0a,0x10,0x0e,0xc9,
  545. 0xf2,0xe0,0xf0,0x30,0x38,0xf5,0x46,0x27,0xf4,0x54,0x06,0x95,
  546. 0x56,0xab,0xf4,0x74,0xd8,0x34,0xf5,0x5d
  547. };
  548. static const unsigned char sha384_returnedbits[] =
  549. {
  550. 0x03,0x54,0x62,0xaa,0x5c,0x61,0x28,0xfc,0x96,0x04,0xd6,0x4f,
  551. 0x50,0x5c,0x9e,0x7c,0x9e,0x1d,0x41,0x76,0x41,0xa0,0x60,0x70,
  552. 0x62,0x4f,0x42,0x1a,0x69,0xce,0x30,0xc4,0xf7,0x89,0xc8,0x93,
  553. 0xed,0xe9,0x42,0xf4,0x59,0x55,0x7c,0x6c,0xd3,0x4e,0xff,0x05
  554. };
  555. /* SHA-512 PR */
  556. static const unsigned char sha512_entropyinput[] =
  557. {
  558. 0x22,0xb1,0x72,0xe3,0xc4,0x87,0xe7,0x76,0x4e,0x85,0xb5,0xca,
  559. 0x86,0x4f,0x21,0x2b,0x4f,0x29,0x8e,0x8a,0xfc,0x88,0xfc,0xa1,
  560. 0xf6,0xd7,0xc1,0x63,0x90,0x8d,0x85,0xa9
  561. };
  562. static const unsigned char sha512_nonce[] =
  563. {
  564. 0xcc,0x8b,0x86,0x21,0xa7,0xbe,0xd3,0xe1,0xde,0xd2,0x47,0xfc,
  565. 0x9c,0x4a,0xdb,0x85
  566. };
  567. static const unsigned char sha512_personalizationstring[] =
  568. {
  569. 0xb7,0x7c,0xb3,0x4f,0xf8,0xcd,0x19,0x89,0xdb,0x0c,0xcf,0xc9,
  570. 0xce,0xcd,0x48,0xcd,0x62,0x9c,0x51,0x38,0x85,0xe4,0x6c,0x17,
  571. 0x02,0x1b,0x6b,0xb5,0x3c,0x31,0x4f,0xa1
  572. };
  573. static const unsigned char sha512_additionalinput[] =
  574. {
  575. 0x69,0x3f,0xcf,0xf5,0x38,0x09,0x0d,0x3c,0xfb,0xea,0x94,0xa6,
  576. 0xf3,0xdc,0xb3,0xa8,0xcb,0x61,0x3b,0x8d,0x8e,0x31,0x94,0xc2,
  577. 0xe8,0x20,0x1c,0x62,0xa0,0x54,0xc2,0x03
  578. };
  579. static const unsigned char sha512_entropyinputpr[] =
  580. {
  581. 0xa0,0xcf,0x6f,0x0f,0x55,0x88,0x84,0xad,0x8d,0x2e,0x08,0x91,
  582. 0x8a,0x65,0xc0,0xb4,0xc9,0xbe,0x21,0x29,0xbe,0x23,0x2d,0x2b,
  583. 0xd1,0x81,0x90,0x66,0x97,0xb6,0xfa,0x84
  584. };
  585. static const unsigned char sha512_additionalinput2[] =
  586. {
  587. 0x1f,0x5e,0x49,0xb5,0xa3,0xfa,0xe8,0x89,0xc5,0x1b,0x39,0x2b,
  588. 0x9e,0xc7,0x36,0x85,0x5b,0xa9,0x9f,0x91,0x79,0xfe,0x5c,0xe6,
  589. 0x41,0xbe,0x14,0x87,0x81,0x08,0x0d,0xee
  590. };
  591. /* NB: not constant so we can corrupt it */
  592. static const unsigned char sha512_entropyinputpr2[] =
  593. {
  594. 0xed,0x22,0x42,0x61,0xa7,0x4c,0xed,0xc7,0x10,0x82,0x61,0x17,
  595. 0xaa,0x7d,0xdb,0x4e,0x1c,0x96,0x61,0x23,0xcd,0x8f,0x84,0x77,
  596. 0xc3,0xa2,0x55,0xff,0xbb,0xc9,0xa6,0x2f
  597. };
  598. static const unsigned char sha512_returnedbits[] =
  599. {
  600. 0x79,0x60,0x41,0xaa,0x6c,0xdd,0x17,0x28,0xc0,0x4d,0xc0,0x17,
  601. 0xc0,0x66,0x46,0x67,0x0d,0x20,0xe2,0x67,0x96,0xd5,0x2a,0xf4,
  602. 0x58,0x0a,0x06,0xab,0xc1,0x4c,0x70,0xc1,0xb8,0x9d,0x68,0x79,
  603. 0x28,0x07,0x38,0x4a,0xc3,0xec,0x3b,0x19,0x02,0xe7,0x13,0x82,
  604. 0x8f,0xc3,0xed,0x59,0x88,0xdd,0x88,0xaf,0xac,0xf0,0x57,0x6c,
  605. 0x14,0x0b,0x50,0x11
  606. };
  607. static DRBG_SELFTEST_DATA drbg_test[] = {
  608. make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df),
  609. make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df),
  610. make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df),
  611. make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df),
  612. make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df),
  613. make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df),
  614. make_drbg_test_data(NID_sha1, 0, sha1),
  615. make_drbg_test_data(NID_sha224, 0, sha224),
  616. make_drbg_test_data(NID_sha256, 0, sha256),
  617. make_drbg_test_data(NID_sha384, 0, sha384),
  618. make_drbg_test_data(NID_sha512, 0, sha512),
  619. {0,0,0}
  620. };
  621. typedef struct
  622. {
  623. const unsigned char *ent;
  624. size_t entlen;
  625. int entcnt;
  626. const unsigned char *nonce;
  627. size_t noncelen;
  628. int noncecnt;
  629. } TEST_ENT;
  630. static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
  631. int entropy, size_t min_len, size_t max_len)
  632. {
  633. TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
  634. *pout = (unsigned char *)t->ent;
  635. t->entcnt++;
  636. return t->entlen;
  637. }
  638. static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
  639. int entropy, size_t min_len, size_t max_len)
  640. {
  641. TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
  642. *pout = (unsigned char *)t->nonce;
  643. t->noncecnt++;
  644. return t->noncelen;
  645. }
  646. static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
  647. {
  648. TEST_ENT t;
  649. int rv = 0;
  650. size_t adinlen;
  651. unsigned char randout[1024];
  652. if (!FIPS_drbg_init(dctx, td->nid, td->flags))
  653. return 0;
  654. if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
  655. return 0;
  656. FIPS_drbg_set_app_data(dctx, &t);
  657. t.ent = td->ent;
  658. t.entlen = td->entlen;
  659. t.nonce = td->nonce;
  660. t.noncelen = td->noncelen;
  661. t.entcnt = 0;
  662. t.noncecnt = 0;
  663. if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
  664. goto err;
  665. t.ent = td->entpr;
  666. t.entlen = td->entprlen;
  667. /* Note for CTR without DF some additional input values
  668. * ignore bytes after the keylength: so reduce adinlen
  669. * to half to ensure invalid data is fed in.
  670. */
  671. if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->flags))
  672. adinlen = td->adinlen / 2;
  673. else
  674. adinlen = td->adinlen;
  675. if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
  676. td->adin, adinlen))
  677. goto err;
  678. t.ent = td->entg;
  679. t.entlen = td->entglen;
  680. if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
  681. td->ading, td->adinglen))
  682. goto err;
  683. if (memcmp(randout, td->kat, td->katlen))
  684. goto err;
  685. rv = 1;
  686. err:
  687. if (rv == 0)
  688. FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
  689. FIPS_drbg_uninstantiate(dctx);
  690. return rv;
  691. }
  692. /* This is the "health check" function required by SP800-90. Induce several
  693. * failure modes and check an error condition is set.
  694. */
  695. static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
  696. {
  697. unsigned char randout[1024];
  698. TEST_ENT t;
  699. size_t i;
  700. unsigned char *p = (unsigned char *)dctx;
  701. /* Initialise DRBG */
  702. if (!FIPS_drbg_init(dctx, td->nid, td->flags))
  703. goto err;
  704. if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
  705. goto err;
  706. FIPS_drbg_set_app_data(dctx, &t);
  707. t.ent = td->ent;
  708. t.entlen = td->entlen;
  709. t.nonce = td->nonce;
  710. t.noncelen = td->noncelen;
  711. t.entcnt = 0;
  712. t.noncecnt = 0;
  713. /* Don't report induced errors */
  714. dctx->flags |= DRBG_FLAG_NOERR;
  715. /* Try too large a personalisation length */
  716. if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0)
  717. {
  718. FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
  719. goto err;
  720. }
  721. /* Test entropy source failure detection */
  722. t.entlen = 0;
  723. if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
  724. {
  725. FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
  726. goto err;
  727. }
  728. /* Try to generate output from uninstantiated DRBG */
  729. if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
  730. td->adin, td->adinlen))
  731. {
  732. FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_GENERATE_ERROR_UNDETECTED);
  733. goto err;
  734. }
  735. dctx->flags &= ~DRBG_FLAG_NOERR;
  736. if (!FIPS_drbg_uninstantiate(dctx))
  737. {
  738. FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
  739. goto err;
  740. }
  741. /* Instantiate with valid data. NB: errors now reported again */
  742. if (!FIPS_drbg_init(dctx, td->nid, td->flags))
  743. goto err;
  744. if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
  745. goto err;
  746. FIPS_drbg_set_app_data(dctx, &t);
  747. t.entlen = td->entlen;
  748. if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
  749. goto err;
  750. /* Check generation is now OK */
  751. if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
  752. td->adin, td->adinlen))
  753. goto err;
  754. /* Try to generate with too high a strength.
  755. */
  756. dctx->flags |= DRBG_FLAG_NOERR;
  757. if (dctx->strength != 256)
  758. {
  759. if (FIPS_drbg_generate(dctx, randout, td->katlen, 256, 0,
  760. td->adin, td->adinlen))
  761. {
  762. FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_STRENGTH_ERROR_UNDETECTED);
  763. goto err;
  764. }
  765. }
  766. /* Request too much data for one request */
  767. if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, 0,
  768. td->adin, td->adinlen))
  769. {
  770. FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
  771. goto err;
  772. }
  773. /* Check prediction resistance request fails if entropy source
  774. * failure.
  775. */
  776. t.entlen = 0;
  777. if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
  778. td->adin, td->adinlen))
  779. {
  780. FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
  781. goto err;
  782. }
  783. dctx->flags &= ~DRBG_FLAG_NOERR;
  784. if (!FIPS_drbg_uninstantiate(dctx))
  785. {
  786. FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
  787. goto err;
  788. }
  789. /* Instantiate again with valid data */
  790. if (!FIPS_drbg_init(dctx, td->nid, td->flags))
  791. goto err;
  792. if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
  793. goto err;
  794. FIPS_drbg_set_app_data(dctx, &t);
  795. t.entlen = td->entlen;
  796. /* Test reseeding works */
  797. dctx->reseed_interval = 2;
  798. if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
  799. goto err;
  800. /* Check generation is now OK */
  801. if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
  802. td->adin, td->adinlen))
  803. goto err;
  804. if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
  805. td->adin, td->adinlen))
  806. goto err;
  807. /* DRBG should now require a reseed */
  808. if (dctx->status != DRBG_STATUS_RESEED)
  809. {
  810. FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
  811. goto err;
  812. }
  813. /* Generate again and check entropy has been requested for reseed */
  814. t.entcnt = 0;
  815. if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
  816. td->adin, td->adinlen))
  817. goto err;
  818. if (t.entcnt != 1)
  819. {
  820. FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
  821. goto err;
  822. }
  823. FIPS_drbg_uninstantiate(dctx);
  824. p = (unsigned char *)&dctx->d;
  825. /* Standard says we have to check uninstantiate really zeroes
  826. * the data...
  827. */
  828. for (i = 0; i < sizeof(dctx->d); i++)
  829. {
  830. if (*p != 0)
  831. {
  832. FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
  833. goto err;
  834. }
  835. p++;
  836. }
  837. return 1;
  838. err:
  839. /* A real error as opposed to an induced one: underlying function will
  840. * indicate the error.
  841. */
  842. if (!(dctx->flags & DRBG_FLAG_NOERR))
  843. FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_FUNCTION_ERROR);
  844. FIPS_drbg_uninstantiate(dctx);
  845. return 0;
  846. }
  847. int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
  848. {
  849. int rv;
  850. DRBG_SELFTEST_DATA *td;
  851. for (td = drbg_test; td->nid != 0; td++)
  852. {
  853. if (td->nid == nid && td->flags == flags)
  854. {
  855. rv = fips_drbg_single_kat(dctx, td);
  856. if (rv <= 0)
  857. return rv;
  858. return fips_drbg_health_check(dctx, td);
  859. }
  860. }
  861. return 0;
  862. }
  863. int FIPS_selftest_drbg(void)
  864. {
  865. DRBG_CTX *dctx;
  866. DRBG_SELFTEST_DATA *td;
  867. int rv = 1;
  868. dctx = FIPS_drbg_new(0, 0);
  869. if (!dctx)
  870. return 0;
  871. for (td = drbg_test; td->nid != 0; td++)
  872. {
  873. if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
  874. return 1;
  875. if (!fips_drbg_single_kat(dctx, td))
  876. {
  877. fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
  878. rv = 0;
  879. continue;
  880. }
  881. if (!fips_drbg_health_check(dctx, td))
  882. {
  883. fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
  884. rv = 0;
  885. continue;
  886. }
  887. if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
  888. return 0;
  889. }
  890. FIPS_drbg_free(dctx);
  891. return rv;
  892. }