OpenSSL 3: FIPS DRBG Tests

Dr Paul Dale pauli at openssl.org
Thu Nov 11 23:01:23 UTC 2021



On 12/11/21 4:02 am, Kory Hamzeh wrote:
> I am writing the FIPS DRBG AVS per NIST SP800-90A. I have some questions.
>
> 1. Is the TEST-RAND ok for nist test? I am planning to basically follow the steps in test/acvp_test.c:drbg_test(), but the data is read in from a file rather than an in memory structure.
This is one of the things it is intended for.  You might consider 
writing a BIO-RAND that reads its input from a BIO or one that reads 
from a file.  TEST-RAND is in memory only but the amount of data 
shouldn't be too large to handle.


> 2. Some of the test vectors provide you with a 2nd entropy value to use for the 2nd call to generate. Can I call EVP_RAND_set_prams() with a  OSSL_RAND_PARAM_TEST_ENTROPY before the 2nd call to generate?
Yes you can.

You ought to to look at the function rand_test_run() in test/evp_test.c 
(as well as the code before and after).  This is processing slightly 
munged CAVs data and does everything you should need.


> 3. And finally, our existing test, based on openssl-fips-2.0.5 called FIPS_drbg_new(). That function allows you to pass an EC curve NID in the upper 16 bits of the drbg type. Not sure how to do this in OpenSSL 3, however, I see no mention of EC curves in:
>
> https://csrc.nist.gov/csrc/media/projects/cryptographic-algorithm-validation-program/documents/drbg/drbgvs.pdf
>
> So it may be a moot issue.
It's moot.  None of the approved DRBGs use EC anymore.  There was a bit 
of controversy a number of years ago about the Dual-EC DRBG: it's almost 
certainly back-doored by the US government.


Pauli



More information about the openssl-users mailing list