# HG changeset patch # User Franziskus Kiefer # Date 1491394302 -7200 # Wed Apr 05 14:11:42 2017 +0200 # Branch NSS_3_28_BRANCH # Node ID 7248d38b76e569d2f89b20598fcdca595c3a2e6a # Parent 6eb39ead39e0b3f6269fd9660a4426187f5302a8 Bug 1345089 - add prng kat tests, r=ttaubert diff --git a/lib/freebl/blapi.h b/lib/freebl/blapi.h --- a/lib/freebl/blapi.h +++ b/lib/freebl/blapi.h @@ -1469,6 +1469,12 @@ FIPS186Change_ReduceModQForDSA(const uns const unsigned char *q, unsigned char *xj); +/* To allow NIST KAT tests */ +extern SECStatus +PRNGTEST_Instantiate_Kat(const PRUint8 *entropy, unsigned int entropy_len, + const PRUint8 *nonce, unsigned int nonce_len, + const PRUint8 *personal_string, unsigned int ps_len); + /* * The following functions are for FIPS poweron self test and FIPS algorithm * testing. diff --git a/lib/freebl/drbg.c b/lib/freebl/drbg.c --- a/lib/freebl/drbg.c +++ b/lib/freebl/drbg.c @@ -99,7 +99,8 @@ struct RNGContextStr { * RNG_RandomUpdate. */ PRUint8 additionalDataCache[PRNG_ADDITONAL_DATA_CACHE_SIZE]; PRUint32 additionalAvail; - PRBool isValid; /* false if RNG reaches an invalid state */ + PRBool isValid; /* false if RNG reaches an invalid state */ + PRBool isKatTest; /* true if running NIST PRNG KAT tests */ }; typedef struct RNGContextStr RNGContext; @@ -150,7 +151,7 @@ prng_Hash_df(PRUint8 *requested_bytes, u } /* - * Hash_DRBG Instantiate NIST SP 800-80 10.1.1.2 + * Hash_DRBG Instantiate NIST SP 800-90 10.1.1.2 * * NOTE: bytes & len are entropy || nonce || personalization_string. In * normal operation, NSS calculates them all together in a single call. @@ -158,9 +159,11 @@ prng_Hash_df(PRUint8 *requested_bytes, u static SECStatus prng_instantiate(RNGContext *rng, const PRUint8 *bytes, unsigned int len) { - if (len < PRNG_SEEDLEN) { - /* if the seedlen is to small, it's probably because we failed to get - * enough random data */ + if (!rng->isKatTest && len < PRNG_SEEDLEN) { + /* If the seedlen is too small, it's probably because we failed to get + * enough random data. + * This is stricter than NIST SP800-90A requires. Don't enforce it for + * tests. */ PORT_SetError(SEC_ERROR_NEED_RANDOM); return SECFailure; } @@ -272,7 +275,7 @@ prng_reseed_test(RNGContext *rng, const #define PRNG_ADD_BITS_AND_CARRY(dest, dest_len, add, len, carry) \ PRNG_ADD_BITS(dest, dest_len, add, len, carry) \ - PRNG_ADD_CARRY_ONLY(dest, dest_len - len, carry) + PRNG_ADD_CARRY_ONLY(dest, dest_len - len - 1, carry) /* * This function expands the internal state of the prng to fulfill any number @@ -441,6 +444,7 @@ rng_init(void) } /* the RNG is in a valid state */ globalrng->isValid = PR_TRUE; + globalrng->isKatTest = PR_FALSE; /* fetch one random value so that we can populate rng->oldV for our * continous random number test. */ @@ -696,6 +700,17 @@ RNG_RNGShutdown(void) * entropy we may have previously collected. */ RNGContext testContext; +SECStatus +PRNGTEST_Instantiate_Kat(const PRUint8 *entropy, unsigned int entropy_len, + const PRUint8 *nonce, unsigned int nonce_len, + const PRUint8 *personal_string, unsigned int ps_len) +{ + testContext.isKatTest = PR_TRUE; + return PRNGTEST_Instantiate(entropy, entropy_len, + nonce, nonce_len, + personal_string, ps_len); +} + /* * Test vector API. Use NIST SP 800-90 general interface so one of the * other NIST SP 800-90 algorithms may be used in the future.