2 * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include <openssl/obj_mac.h>
16 #include <openssl/evp.h>
17 #include <openssl/aes.h>
18 #include "../crypto/rand/rand_lcl.h"
23 typedef struct drbg_selftest_data_st
{
28 /* KAT data for no PR */
29 const unsigned char *ent
;
31 const unsigned char *nonce
;
33 const unsigned char *pers
;
35 const unsigned char *adin
;
37 const unsigned char *entreseed
;
39 const unsigned char *adinreseed
;
41 const unsigned char *adin2
;
43 const unsigned char *expected
;
45 const unsigned char *kat2
;
49 const unsigned char *ent_pr
;
51 const unsigned char *nonce_pr
;
53 const unsigned char *pers_pr
;
55 const unsigned char *adin_pr
;
57 const unsigned char *entpr_pr
;
59 const unsigned char *ading_pr
;
61 const unsigned char *entg_pr
;
63 const unsigned char *kat_pr
;
65 const unsigned char *kat2_pr
;
69 #define make_drbg_test_data(nid, flag, pr, post) {\
71 pr##_entropyinput, sizeof(pr##_entropyinput), \
72 pr##_nonce, sizeof(pr##_nonce), \
73 pr##_personalizationstring, sizeof(pr##_personalizationstring), \
74 pr##_additionalinput, sizeof(pr##_additionalinput), \
75 pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
76 pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
77 pr##_additionalinput2, sizeof(pr##_additionalinput2), \
78 pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
79 pr##_returnedbits, sizeof(pr##_returnedbits), \
80 pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
81 pr##_pr_nonce, sizeof(pr##_pr_nonce), \
82 pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
83 pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
84 pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
85 pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
86 pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
87 pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
88 pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \
91 #define make_drbg_test_data_df(nid, pr, p) \
92 make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_USE_DF, pr, p)
94 static DRBG_SELFTEST_DATA drbg_test
[] = {
95 make_drbg_test_data (NID_aes_128_ctr
, 0, aes_128_no_df
, 0),
96 make_drbg_test_data (NID_aes_192_ctr
, 0, aes_192_no_df
, 0),
97 make_drbg_test_data (NID_aes_256_ctr
, 0, aes_256_no_df
, 1),
98 make_drbg_test_data_df(NID_aes_128_ctr
, aes_128_use_df
, 0),
99 make_drbg_test_data_df(NID_aes_192_ctr
, aes_192_use_df
, 0),
100 make_drbg_test_data_df(NID_aes_256_ctr
, aes_256_use_df
, 1),
103 static int app_data_index
;
106 * Test context data, attached as EXDATA to the RAND_DRBG
108 typedef struct test_ctx_st
{
109 const unsigned char *ent
;
112 const unsigned char *nonce
;
117 static size_t kat_entropy(RAND_DRBG
*drbg
, unsigned char **pout
,
118 int entropy
, size_t min_len
, size_t max_len
)
120 TEST_CTX
*t
= (TEST_CTX
*)RAND_DRBG_get_ex_data(drbg
, app_data_index
);
123 *pout
= (unsigned char *)t
->ent
;
127 static size_t kat_nonce(RAND_DRBG
*drbg
, unsigned char **pout
,
128 int entropy
, size_t min_len
, size_t max_len
)
130 TEST_CTX
*t
= (TEST_CTX
*)RAND_DRBG_get_ex_data(drbg
, app_data_index
);
133 *pout
= (unsigned char *)t
->nonce
;
137 static int uninstantiate(RAND_DRBG
*drbg
)
139 int ret
= drbg
== NULL
? 1 : RAND_DRBG_uninstantiate(drbg
);
146 * Do a single KAT test. Return 0 on failure.
148 static int single_kat(DRBG_SELFTEST_DATA
*td
)
150 RAND_DRBG
*drbg
= NULL
;
153 unsigned char buff
[1024];
156 * Test without PR: Instantiate DRBG with test entropy, nonce and
157 * personalisation string.
159 if (!TEST_ptr(drbg
= RAND_DRBG_new(td
->nid
, td
->flags
, NULL
)))
161 if (!TEST_true(RAND_DRBG_set_callbacks(drbg
, kat_entropy
, NULL
,
166 memset(&t
, 0, sizeof(t
));
168 t
.entlen
= td
->entlen
;
170 t
.noncelen
= td
->noncelen
;
171 RAND_DRBG_set_ex_data(drbg
, app_data_index
, &t
);
173 if (!TEST_true(RAND_DRBG_instantiate(drbg
, td
->pers
, td
->perslen
))
174 || !TEST_true(RAND_DRBG_generate(drbg
, buff
, td
->exlen
, 0,
175 td
->adin
, td
->adinlen
))
176 || !TEST_mem_eq(td
->expected
, td
->exlen
, buff
, td
->exlen
))
179 /* Reseed DRBG with test entropy and additional input */
180 t
.ent
= td
->entreseed
;
181 t
.entlen
= td
->entreseedlen
;
182 if (!TEST_true(RAND_DRBG_reseed(drbg
, td
->adinreseed
, td
->adinreseedlen
)
183 || !TEST_true(RAND_DRBG_generate(drbg
, buff
, td
->kat2len
, 0,
184 td
->adin2
, td
->adin2len
))
185 || !TEST_mem_eq(td
->kat2
, td
->kat2len
, buff
, td
->kat2len
)))
190 * Now test with PR: Instantiate DRBG with test entropy, nonce and
191 * personalisation string.
193 if (!TEST_true(RAND_DRBG_set(drbg
, td
->nid
, td
->flags
))
194 || !TEST_true(RAND_DRBG_set_callbacks(drbg
, kat_entropy
, NULL
,
197 RAND_DRBG_set_ex_data(drbg
, app_data_index
, &t
);
199 t
.entlen
= td
->entlen_pr
;
200 t
.nonce
= td
->nonce_pr
;
201 t
.noncelen
= td
->noncelen_pr
;
204 if (!TEST_true(RAND_DRBG_instantiate(drbg
, td
->pers_pr
, td
->perslen_pr
)))
208 * Now generate with PR: we need to supply entropy as this will
209 * perform a reseed operation.
211 t
.ent
= td
->entpr_pr
;
212 t
.entlen
= td
->entprlen_pr
;
213 if (!TEST_true(RAND_DRBG_generate(drbg
, buff
, td
->katlen_pr
, 1,
214 td
->adin_pr
, td
->adinlen_pr
))
215 || !TEST_mem_eq(td
->kat_pr
, td
->katlen_pr
, buff
, td
->katlen_pr
))
219 * Now generate again with PR: supply new entropy again.
222 t
.entlen
= td
->entglen_pr
;
224 if (!TEST_true(RAND_DRBG_generate(drbg
, buff
, td
->kat2len_pr
, 1,
225 td
->ading_pr
, td
->adinglen_pr
))
226 || !TEST_mem_eq(td
->kat2_pr
, td
->kat2len_pr
,
227 buff
, td
->kat2len_pr
))
232 RAND_DRBG_free(drbg
);
233 return failures
== 0;
237 * Initialise a DRBG based on selftest data
239 static int init(RAND_DRBG
*drbg
, DRBG_SELFTEST_DATA
*td
, TEST_CTX
*t
)
241 if (!TEST_true(RAND_DRBG_set(drbg
, td
->nid
, td
->flags
))
242 || !TEST_true(RAND_DRBG_set_callbacks(drbg
, kat_entropy
, NULL
,
245 RAND_DRBG_set_ex_data(drbg
, app_data_index
, t
);
247 t
->entlen
= td
->entlen
;
248 t
->nonce
= td
->nonce
;
249 t
->noncelen
= td
->noncelen
;
256 * Initialise and instantiate DRBG based on selftest data
258 static int instantiate(RAND_DRBG
*drbg
, DRBG_SELFTEST_DATA
*td
,
261 if (!TEST_true(init(drbg
, td
, t
))
262 || !TEST_true(RAND_DRBG_instantiate(drbg
, td
->pers
, td
->perslen
)))
268 * Perform extensive error checking as required by SP800-90.
269 * Induce several failure modes and check an error condition is set.
271 static int error_check(DRBG_SELFTEST_DATA
*td
)
273 static char zero
[sizeof(RAND_DRBG
)];
274 RAND_DRBG
*drbg
= NULL
;
276 unsigned char buff
[1024];
277 unsigned int reseed_counter_tmp
;
280 if (!TEST_ptr(drbg
= RAND_DRBG_new(0, 0, NULL
)))
284 * Personalisation string tests
287 /* Test detection of too large personlisation string */
288 if (!init(drbg
, td
, &t
)
289 || RAND_DRBG_instantiate(drbg
, td
->pers
, drbg
->max_pers
+ 1) > 0)
293 * Entropy source tests
296 /* Test entropy source failure detecion: i.e. returns no data */
298 if (TEST_int_le(RAND_DRBG_instantiate(drbg
, td
->pers
, td
->perslen
), 0))
301 /* Try to generate output from uninstantiated DRBG */
302 if (!TEST_false(RAND_DRBG_generate(drbg
, buff
, td
->exlen
, 0,
303 td
->adin
, td
->adinlen
))
304 || !uninstantiate(drbg
))
307 /* Test insufficient entropy */
308 t
.entlen
= drbg
->min_entropy
- 1;
309 if (!init(drbg
, td
, &t
)
310 || RAND_DRBG_instantiate(drbg
, td
->pers
, td
->perslen
) > 0
311 || !uninstantiate(drbg
))
314 /* Test too much entropy */
315 t
.entlen
= drbg
->max_entropy
+ 1;
316 if (!init(drbg
, td
, &t
)
317 || RAND_DRBG_instantiate(drbg
, td
->pers
, td
->perslen
) > 0
318 || !uninstantiate(drbg
))
325 /* Test too small nonce */
326 if (drbg
->min_nonce
) {
327 t
.noncelen
= drbg
->min_nonce
- 1;
328 if (!init(drbg
, td
, &t
)
329 || RAND_DRBG_instantiate(drbg
, td
->pers
, td
->perslen
) > 0
330 || !uninstantiate(drbg
))
334 /* Test too large nonce */
335 if (drbg
->max_nonce
) {
336 t
.noncelen
= drbg
->max_nonce
+ 1;
337 if (!init(drbg
, td
, &t
)
338 || RAND_DRBG_instantiate(drbg
, td
->pers
, td
->perslen
) > 0
339 || !uninstantiate(drbg
))
343 /* Instantiate with valid data, Check generation is now OK */
344 if (!instantiate(drbg
, td
, &t
)
345 || !TEST_true(RAND_DRBG_generate(drbg
, buff
, td
->exlen
, 0,
346 td
->adin
, td
->adinlen
)))
349 /* Request too much data for one request */
350 if (!TEST_false(RAND_DRBG_generate(drbg
, buff
, drbg
->max_request
+ 1, 0,
351 td
->adin
, td
->adinlen
)))
354 /* Try too large additional input */
355 if (!TEST_false(RAND_DRBG_generate(drbg
, buff
, td
->exlen
, 0,
356 td
->adin
, drbg
->max_adin
+ 1)))
360 * Check prediction resistance request fails if entropy source
364 if (TEST_false(RAND_DRBG_generate(drbg
, buff
, td
->exlen
, 1,
365 td
->adin
, td
->adinlen
))
366 || !uninstantiate(drbg
))
369 /* Instantiate again with valid data */
370 if (!instantiate(drbg
, td
, &t
))
372 reseed_counter_tmp
= drbg
->reseed_counter
;
373 drbg
->reseed_counter
= drbg
->reseed_interval
;
375 /* Generate output and check entropy has been requested for reseed */
377 if (!TEST_true(RAND_DRBG_generate(drbg
, buff
, td
->exlen
, 0,
378 td
->adin
, td
->adinlen
))
379 || !TEST_int_eq(t
.entcnt
, 1)
380 || !TEST_int_eq(drbg
->reseed_counter
, reseed_counter_tmp
+ 1)
381 || !uninstantiate(drbg
))
385 * Check prediction resistance request fails if entropy source
389 if (!TEST_false(RAND_DRBG_generate(drbg
, buff
, td
->exlen
, 1,
390 td
->adin
, td
->adinlen
))
391 || !uninstantiate(drbg
))
394 /* Test reseed counter works */
395 if (!instantiate(drbg
, td
, &t
))
397 reseed_counter_tmp
= drbg
->reseed_counter
;
398 drbg
->reseed_counter
= drbg
->reseed_interval
;
400 /* Generate output and check entropy has been requested for reseed */
402 if (!TEST_true(RAND_DRBG_generate(drbg
, buff
, td
->exlen
, 0,
403 td
->adin
, td
->adinlen
))
404 || !TEST_int_eq(t
.entcnt
, 1)
405 || !TEST_int_eq(drbg
->reseed_counter
, reseed_counter_tmp
+ 1)
406 || !uninstantiate(drbg
))
410 * Explicit reseed tests
413 /* Test explicit reseed with too large additional input */
414 if (!init(drbg
, td
, &t
)
415 || RAND_DRBG_reseed(drbg
, td
->adin
, drbg
->max_adin
+ 1) > 0)
418 /* Test explicit reseed with entropy source failure */
420 if (!TEST_int_le(RAND_DRBG_reseed(drbg
, td
->adin
, td
->adinlen
), 0)
421 || !uninstantiate(drbg
))
424 /* Test explicit reseed with too much entropy */
425 if (!init(drbg
, td
, &t
))
427 t
.entlen
= drbg
->max_entropy
+ 1;
428 if (!TEST_int_le(RAND_DRBG_reseed(drbg
, td
->adin
, td
->adinlen
), 0)
429 || !uninstantiate(drbg
))
432 /* Test explicit reseed with too little entropy */
433 if (!init(drbg
, td
, &t
))
435 t
.entlen
= drbg
->min_entropy
- 1;
436 if (!TEST_int_le(RAND_DRBG_reseed(drbg
, td
->adin
, td
->adinlen
), 0)
437 || !uninstantiate(drbg
))
440 /* Standard says we have to check uninstantiate really zeroes */
441 if (!TEST_mem_eq(zero
, sizeof(drbg
->ctr
), &drbg
->ctr
, sizeof(drbg
->ctr
)))
448 RAND_DRBG_free(drbg
);
452 static int test_kats(int i
)
454 DRBG_SELFTEST_DATA
*td
= &drbg_test
[i
];
465 static int test_error_checks(int i
)
467 DRBG_SELFTEST_DATA
*td
= &drbg_test
[i
];
478 #define RAND_ADD_SIZE 500
480 static int test_rand_add()
484 if (!TEST_ptr(p
= malloc(RAND_ADD_SIZE
)))
486 RAND_add(p
, RAND_ADD_SIZE
, RAND_ADD_SIZE
);
492 int setup_tests(void)
494 app_data_index
= RAND_DRBG_get_ex_new_index(0L, NULL
, NULL
, NULL
, NULL
);
496 ADD_ALL_TESTS(test_kats
, OSSL_NELEM(drbg_test
));
497 ADD_ALL_TESTS(test_error_checks
, OSSL_NELEM(drbg_test
));
498 ADD_TEST(test_rand_add
);