[openssl-users] Fips CTR_DRBG

Piotr Łobacz piotr.lobacz at radmor.com.pl
Fri Feb 27 06:35:43 UTC 2015 

I can do mutch more i can give the source code:

#include <iostream>
using std::cout;
using std::endl;
#include <stdlib.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <fips/fips_rand.h>
#include <fips/fips_rand_lcl.h>
#include <openssl/rand.h>
#include <string.h>

typedef struct 
        {
        const unsigned char *ent;
        size_t entlen;
        int entcnt;
        const unsigned char *nonce;
        size_t noncelen;
        int noncecnt;
        } TEST_ENT;


static unsigned char dummy_drbg_entropy[1024];

static unsigned char entropy_x[32];
static unsigned char nonce[16];


static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
                                int entropy, size_t min_len, size_t
max_len)
        {
        TEST_ENT *t = (TEST_ENT*)FIPS_drbg_get_app_data(dctx);
        *pout = (unsigned char *)t->ent;
        t->entcnt++;
        return t->entlen;
        }

static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
                                int entropy, size_t min_len, size_t
max_len)
        {
        TEST_ENT *t = (TEST_ENT*)FIPS_drbg_get_app_data(dctx);
        *pout = (unsigned char *)t->nonce;
        t->noncecnt++;
        return t->noncelen;
        }

int main(int argc, char* argv[])
{
    int rc, mode;

    mode = FIPS_mode();
    if(mode == 0)
    {
        rc = FIPS_mode_set(1);
        if(rc == 0) {
            cout << "Failed to enable FIPS mode, ";
            cout << "error: " << ERR_get_error() << endl;
        } else {
            cout << "Enabled FIPS mode" << endl;
        }
    }
    else
    {
        cout << "Already in FIPS mode" << endl;
    }

	  DRBG_CTX *dctx;
	  dctx = FIPS_drbg_new(NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF);

	  unsigned char entropytmp[] =
	  {
		0x36, 0x40, 0x19, 0x40, 0xfa, 0x8b, 0x1f, 0xba,
		0x91, 0xa1, 0x66, 0x1f, 0x21, 0x1d, 0x78, 0xa0,
		0xb9, 0x38, 0x9a, 0x74, 0xe5, 0xbc, 0xcf, 0xec,
		0xe8, 0xd7, 0x66, 0xaf, 0x1a, 0x6d, 0x3b, 0x14
	  };

	  unsigned char noncetmp[] =
	  {
		0x49, 0x6f, 0x25, 0xb0, 0xf1, 0x30, 0x1b, 0x4f,
		0x50, 0x1b, 0xe3, 0x03, 0x80, 0xa1, 0x37, 0xeb
	  };
	/* AES-256 use df PR  */


	std::cout << FIPS_drbg_get_strength(dctx) << " " <<
FIPS_rand_strength() << std::endl;

	  //if (!FIPS_drbg_set_callbacks(dctx, drbg_test_entropy, 0, 0x10,
drbg_test_nonce, 0))
	  if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce,
0))
	  {
		  std::cout << "dupa" << std::endl;
	  }
	  
	  //memcpy(entropy_x, entropytmp, sizeof(entropy_x));
	 // memcpy(nonce, noncetmp, sizeof(nonce));
	
	TEST_ENT t;

        FIPS_drbg_set_app_data(dctx, &t);

        t.ent = entropytmp;
        t.entlen = sizeof(entropytmp);
        t.nonce = noncetmp;
        t.noncelen = sizeof(noncetmp);
        t.entcnt = 0;
        t.noncecnt = 0;

       


	  //FIPS_drbg_instantiate(dctx, pers, sizeof(pers));
	  if (!FIPS_drbg_instantiate(dctx, NULL, 0))
	  {
	     ERR_load_crypto_strings();
	     ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
	  }

	  size_t outlen = 32;
	  unsigned char outbuf[outlen];

	  if(!FIPS_drbg_generate(dctx, outbuf, outlen, 0, NULL, 0))
	  {
	     ERR_load_crypto_strings();
	     ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));

	  }

	  FIPS_drbg_uninstantiate(dctx);
	  FIPS_drbg_free(dctx);

    return 0;
      * }



Dnia 2015-02-26, czw o godzinie 16:43 +0000, Dr. Stephen Henson pisze:
> On Thu, Feb 26, 2015, Piotr ??obacz wrote:
> 
> > Yes,
> > i have read that RAND API will use CTR_DRBG by default but what if i
> > want to have set seed and than calculate and have the same results on
> > two different machines? As far as i understand if i set seed - which is
> > calculated from entropy, nonce and personal string - if it is given i
> > should get some deterministic value of returned buffer and RAND_bytes
> > doesn't give me such result it is always different. Correct me if i am
> > wrong.
> > 
> 
> OK, can you give some details of how you are instantiating the DRBG?
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 

________________________________________________________________________
Piotr Łobacz

Biuro Systemów i Oprogramowania

RADMOR S.A.

tel. (58) 6996 929

e-mail: piotr.lobacz at radmor.com.pl

www.radmor.com.pl




RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia

NIP: 586-010-21-39

REGON: 190432077

KRS: 0000074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku)

Kapitał zakładowy wpłacony: 9 282 830 PLN

More information about the openssl-users mailing list