Blob Blame History Raw
# HG changeset patch
# User Franziskus Kiefer <franziskuskiefer@gmail.com>
# Date 1491394302 -7200
#      Wed Apr 05 14:11:42 2017 +0200
# Branch NSS_3_28_BRANCH
# Node ID 7248d38b76e569d2f89b20598fcdca595c3a2e6a
# Parent  6eb39ead39e0b3f6269fd9660a4426187f5302a8
Bug 1345089 - add prng kat tests, r=ttaubert

diff --git a/lib/freebl/blapi.h b/lib/freebl/blapi.h
--- a/lib/freebl/blapi.h
+++ b/lib/freebl/blapi.h
@@ -1469,6 +1469,12 @@ FIPS186Change_ReduceModQForDSA(const uns
                                const unsigned char *q,
                                unsigned char *xj);
 
+/* To allow NIST KAT tests */
+extern SECStatus
+PRNGTEST_Instantiate_Kat(const PRUint8 *entropy, unsigned int entropy_len,
+                         const PRUint8 *nonce, unsigned int nonce_len,
+                         const PRUint8 *personal_string, unsigned int ps_len);
+
 /*
  * The following functions are for FIPS poweron self test and FIPS algorithm
  * testing.
diff --git a/lib/freebl/drbg.c b/lib/freebl/drbg.c
--- a/lib/freebl/drbg.c
+++ b/lib/freebl/drbg.c
@@ -99,7 +99,8 @@ struct RNGContextStr {
      * RNG_RandomUpdate. */
     PRUint8 additionalDataCache[PRNG_ADDITONAL_DATA_CACHE_SIZE];
     PRUint32 additionalAvail;
-    PRBool isValid; /* false if RNG reaches an invalid state */
+    PRBool isValid;   /* false if RNG reaches an invalid state */
+    PRBool isKatTest; /* true if running NIST PRNG KAT tests */
 };
 
 typedef struct RNGContextStr RNGContext;
@@ -150,7 +151,7 @@ prng_Hash_df(PRUint8 *requested_bytes, u
 }
 
 /*
- * Hash_DRBG Instantiate NIST SP 800-80 10.1.1.2
+ * Hash_DRBG Instantiate NIST SP 800-90 10.1.1.2
  *
  * NOTE: bytes & len are entropy || nonce || personalization_string. In
  * normal operation, NSS calculates them all together in a single call.
@@ -158,9 +159,11 @@ prng_Hash_df(PRUint8 *requested_bytes, u
 static SECStatus
 prng_instantiate(RNGContext *rng, const PRUint8 *bytes, unsigned int len)
 {
-    if (len < PRNG_SEEDLEN) {
-        /* if the seedlen is to small, it's probably because we failed to get
-     * enough random data */
+    if (!rng->isKatTest && len < PRNG_SEEDLEN) {
+        /* If the seedlen is too small, it's probably because we failed to get
+         * enough random data.
+         * This is stricter than NIST SP800-90A requires. Don't enforce it for
+         * tests. */
         PORT_SetError(SEC_ERROR_NEED_RANDOM);
         return SECFailure;
     }
@@ -272,7 +275,7 @@ prng_reseed_test(RNGContext *rng, const 
 
 #define PRNG_ADD_BITS_AND_CARRY(dest, dest_len, add, len, carry) \
     PRNG_ADD_BITS(dest, dest_len, add, len, carry)               \
-    PRNG_ADD_CARRY_ONLY(dest, dest_len - len, carry)
+    PRNG_ADD_CARRY_ONLY(dest, dest_len - len - 1, carry)
 
 /*
  * This function expands the internal state of the prng to fulfill any number
@@ -441,6 +444,7 @@ rng_init(void)
         }
         /* the RNG is in a valid state */
         globalrng->isValid = PR_TRUE;
+        globalrng->isKatTest = PR_FALSE;
 
         /* fetch one random value so that we can populate rng->oldV for our
          * continous random number test. */
@@ -696,6 +700,17 @@ RNG_RNGShutdown(void)
   * entropy we may have previously collected. */
 RNGContext testContext;
 
+SECStatus
+PRNGTEST_Instantiate_Kat(const PRUint8 *entropy, unsigned int entropy_len,
+                         const PRUint8 *nonce, unsigned int nonce_len,
+                         const PRUint8 *personal_string, unsigned int ps_len)
+{
+    testContext.isKatTest = PR_TRUE;
+    return PRNGTEST_Instantiate(entropy, entropy_len,
+                                nonce, nonce_len,
+                                personal_string, ps_len);
+}
+
 /*
  * Test vector API. Use NIST SP 800-90 general interface so one of the
  * other NIST SP 800-90 algorithms may be used in the future.