[openssl] master update
patrick.steuer at de.ibm.com
patrick.steuer at de.ibm.com
Wed Mar 11 11:23:48 UTC 2020
The branch master has been updated
via 4d6d787c4937706676355ce241c6e538475295d2 (commit)
via 28bdbe1aaa474ae8cd83e520d02e463e46ce89d9 (commit)
from 4b5371913ed9bb4bfd8a55a30458932799296ab9 (commit)
- Log -----------------------------------------------------------------
commit 4d6d787c4937706676355ce241c6e538475295d2
Author: Patrick Steuer <patrick.steuer at de.ibm.com>
Date: Sat Feb 22 01:34:20 2020 +0100
AES CTR-DRGB: add test for 32-bit counter overflow
Signed-off-by: Patrick Steuer <patrick.steuer at de.ibm.com>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10457)
commit 28bdbe1aaa474ae8cd83e520d02e463e46ce89d9
Author: Patrick Steuer <patrick.steuer at de.ibm.com>
Date: Fri Nov 15 23:27:09 2019 +0100
AES CTR-DRGB: performance improvement
Optimize the the AES-based implementation of the CTR_DRBG
construction, see 10.2.1 in [1].
Due to the optimizations, the code may deviate (more) from the
pseudocode in [1], but it is functional equivalence being decisive
for compliance:
"All DRBG mechanisms and algorithms are described in this document
in pseudocode, which is intended to explain functionality.
The pseudocode is not intended to constrain real-world
implementations." [9 in [1]].
The following optimizations are done:
- Replace multiple plain AES encryptions by a single AES-ECB
encryption of a corresponding pre-initialized buffer, where
possible.
This allows platform-specific AES-ECB support to
be used and reduces the overhead of multiple EVP calls.
- Replace the generate operation loop (which is a counter
increment followed by a plain AES encryption) by a
loop which does a plain AES encryption followed by
a counter increment. The latter loop is just a description
of AES-CTR, so we replace it by a single AES-CTR
encryption.
This allows for platform-specific AES-CTR support to be used
and reduces the overhead of multiple EVP calls.
This change, that is, going from a pre- to a post- counter
increment, requires the counter in the internal state
to be kept at "+1" (compared to the pseudocode in [1])
such that it is in the correct state, when a generate
operation is called.
That in turn also requires all other operations to be
changed from pre- to post-increment to keep functional
equivalence.
[1] NIST SP 800-90A Revision 1
Signed-off-by: Patrick Steuer <patrick.steuer at de.ibm.com>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10457)
-----------------------------------------------------------------------
Summary of changes:
crypto/rand/drbg_ctr.c | 215 +++++++++++++++++++++++++++-----------------
crypto/rand/rand_local.h | 6 +-
test/build.info | 7 +-
test/drbg_extra_test.c | 94 +++++++++++++++++++
test/drbg_extra_test.h | 188 ++++++++++++++++++++++++++++++++++++++
test/recipes/05-test_rand.t | 2 +
6 files changed, 428 insertions(+), 84 deletions(-)
create mode 100644 test/drbg_extra_test.c
create mode 100644 test/drbg_extra_test.h
diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c
index 30420ae579..85b204d3be 100644
--- a/crypto/rand/drbg_ctr.c
+++ b/crypto/rand/drbg_ctr.c
@@ -12,6 +12,7 @@
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
+#include "crypto/modes.h"
#include "internal/thread_once.h"
#include "rand_local.h"
@@ -65,15 +66,15 @@ static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
* Process a complete block using BCC algorithm of SP 800-90A 10.3.3
*/
__owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
- const unsigned char *in)
+ const unsigned char *in, int len)
{
int i, outlen = AES_BLOCK_SIZE;
- for (i = 0; i < 16; i++)
+ for (i = 0; i < len; i++)
out[i] ^= in[i];
- if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, AES_BLOCK_SIZE)
- || outlen != AES_BLOCK_SIZE)
+ if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
+ || outlen != len)
return 0;
return 1;
}
@@ -84,12 +85,16 @@ __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
*/
__owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
{
- if (!ctr_BCC_block(ctr, ctr->KX, in)
- || !ctr_BCC_block(ctr, ctr->KX + 16, in))
- return 0;
- if (ctr->keylen != 16 && !ctr_BCC_block(ctr, ctr->KX + 32, in))
- return 0;
- return 1;
+ unsigned char in_tmp[48];
+ unsigned char num_of_blk = 2;
+
+ memcpy(in_tmp, in, 16);
+ memcpy(in_tmp + 16, in, 16);
+ if (ctr->keylen != 16) {
+ memcpy(in_tmp + 32, in, 16);
+ num_of_blk = 3;
+ }
+ return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
}
/*
@@ -98,19 +103,14 @@ __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
*/
__owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
{
+ unsigned char bltmp[48] = {0};
+ unsigned char num_of_blk;
+
memset(ctr->KX, 0, 48);
- memset(ctr->bltmp, 0, 16);
- if (!ctr_BCC_block(ctr, ctr->KX, ctr->bltmp))
- return 0;
- ctr->bltmp[3] = 1;
- if (!ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp))
- return 0;
- if (ctr->keylen != 16) {
- ctr->bltmp[3] = 2;
- if (!ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp))
- return 0;
- }
- return 1;
+ num_of_blk = ctr->keylen == 16 ? 2 : 3;
+ bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
+ bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
+ return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
}
/*
@@ -199,20 +199,20 @@ __owur static int ctr_df(RAND_DRBG_CTR *ctr,
|| !ctr_BCC_final(ctr))
return 0;
/* Set up key K */
- if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->KX, NULL, 1))
+ if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
return 0;
/* X follows key K */
- if (!EVP_CipherUpdate(ctr->ctx, ctr->KX, &outlen, ctr->KX + ctr->keylen,
+ if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
AES_BLOCK_SIZE)
|| outlen != AES_BLOCK_SIZE)
return 0;
- if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 16, &outlen, ctr->KX,
+ if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
AES_BLOCK_SIZE)
|| outlen != AES_BLOCK_SIZE)
return 0;
if (ctr->keylen != 16)
- if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 32, &outlen, ctr->KX + 16,
- AES_BLOCK_SIZE)
+ if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
+ ctr->KX + 16, AES_BLOCK_SIZE)
|| outlen != AES_BLOCK_SIZE)
return 0;
return 1;
@@ -231,31 +231,25 @@ __owur static int ctr_update(RAND_DRBG *drbg,
{
RAND_DRBG_CTR *ctr = &drbg->data.ctr;
int outlen = AES_BLOCK_SIZE;
+ unsigned char V_tmp[48], out[48];
+ unsigned char len;
/* correct key is already set up. */
+ memcpy(V_tmp, ctr->V, 16);
inc_128(ctr);
- if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outlen, ctr->V, AES_BLOCK_SIZE)
- || outlen != AES_BLOCK_SIZE)
- return 0;
-
- /* If keylen longer than 128 bits need extra encrypt */
- if (ctr->keylen != 16) {
+ memcpy(V_tmp + 16, ctr->V, 16);
+ if (ctr->keylen == 16) {
+ len = 32;
+ } else {
inc_128(ctr);
- if (!EVP_CipherUpdate(ctr->ctx, ctr->K+16, &outlen, ctr->V,
- AES_BLOCK_SIZE)
- || outlen != AES_BLOCK_SIZE)
- return 0;
+ memcpy(V_tmp + 32, ctr->V, 16);
+ len = 48;
}
- inc_128(ctr);
- if (!EVP_CipherUpdate(ctr->ctx, ctr->V, &outlen, ctr->V, AES_BLOCK_SIZE)
- || outlen != AES_BLOCK_SIZE)
+ if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
+ || outlen != len)
return 0;
-
- /* If 192 bit key part of V is on end of K */
- if (ctr->keylen == 24) {
- memcpy(ctr->V + 8, ctr->V, 8);
- memcpy(ctr->V, ctr->K + 24, 8);
- }
+ memcpy(ctr->K, out, ctr->keylen);
+ memcpy(ctr->V, out + ctr->keylen, 16);
if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
/* If no input reuse existing derived value */
@@ -270,7 +264,8 @@ __owur static int ctr_update(RAND_DRBG *drbg,
ctr_XOR(ctr, in2, in2len);
}
- if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
+ if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
+ || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
return 0;
return 1;
}
@@ -287,8 +282,10 @@ __owur static int drbg_ctr_instantiate(RAND_DRBG *drbg,
memset(ctr->K, 0, sizeof(ctr->K));
memset(ctr->V, 0, sizeof(ctr->V));
- if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
+ if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
return 0;
+
+ inc_128(ctr);
if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
return 0;
return 1;
@@ -298,20 +295,40 @@ __owur static int drbg_ctr_reseed(RAND_DRBG *drbg,
const unsigned char *entropy, size_t entropylen,
const unsigned char *adin, size_t adinlen)
{
+ RAND_DRBG_CTR *ctr = &drbg->data.ctr;
+
if (entropy == NULL)
return 0;
+
+ inc_128(ctr);
if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
return 0;
return 1;
}
+static void ctr96_inc(unsigned char *counter)
+{
+ u32 n = 12, c = 1;
+
+ do {
+ --n;
+ c += counter[n];
+ counter[n] = (u8)c;
+ c >>= 8;
+ } while (n);
+}
+
__owur static int drbg_ctr_generate(RAND_DRBG *drbg,
unsigned char *out, size_t outlen,
const unsigned char *adin, size_t adinlen)
{
RAND_DRBG_CTR *ctr = &drbg->data.ctr;
+ unsigned int ctr32, blocks;
+ int outl, buflen;
if (adin != NULL && adinlen != 0) {
+ inc_128(ctr);
+
if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
return 0;
/* This means we reuse derived value */
@@ -323,28 +340,51 @@ __owur static int drbg_ctr_generate(RAND_DRBG *drbg,
adinlen = 0;
}
- for ( ; ; ) {
- int outl = AES_BLOCK_SIZE;
+ inc_128(ctr);
+ if (outlen == 0) {
inc_128(ctr);
- if (outlen < 16) {
- /* Use K as temp space as it will be updated */
- if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outl, ctr->V,
- AES_BLOCK_SIZE)
- || outl != AES_BLOCK_SIZE)
- return 0;
- memcpy(out, ctr->K, outlen);
- break;
- }
- if (!EVP_CipherUpdate(ctr->ctx, out, &outl, ctr->V, AES_BLOCK_SIZE)
- || outl != AES_BLOCK_SIZE)
+
+ if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
return 0;
- out += 16;
- outlen -= 16;
- if (outlen == 0)
- break;
+ return 1;
}
+ memset(out, 0, outlen);
+
+ do {
+ if (!EVP_CipherInit_ex(ctr->ctx_ctr,
+ NULL, NULL, NULL, ctr->V, -1))
+ return 0;
+
+ /*-
+ * outlen has type size_t while EVP_CipherUpdate takes an
+ * int argument and thus cannot be guaranteed to process more
+ * than 2^31-1 bytes at a time. We process such huge generate
+ * requests in 2^30 byte chunks, which is the greatest multiple
+ * of AES block size lower than or equal to 2^31-1.
+ */
+ buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
+ blocks = (buflen + 15) / 16;
+
+ ctr32 = GETU32(ctr->V + 12) + blocks;
+ if (ctr32 < blocks) {
+ /* 32-bit counter overflow into V. */
+ blocks -= ctr32;
+ buflen = blocks * 16;
+ ctr32 = 0;
+ ctr96_inc(ctr->V);
+ }
+ PUTU32(ctr->V + 12, ctr32);
+
+ if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
+ || outl != buflen)
+ return 0;
+
+ out += buflen;
+ outlen -= buflen;
+ } while (outlen);
+
if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
return 0;
return 1;
@@ -352,9 +392,11 @@ __owur static int drbg_ctr_generate(RAND_DRBG *drbg,
static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
{
- EVP_CIPHER_CTX_free(drbg->data.ctr.ctx);
+ EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ecb);
+ EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ctr);
EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
- EVP_CIPHER_free(drbg->data.ctr.cipher);
+ EVP_CIPHER_free(drbg->data.ctr.cipher_ecb);
+ EVP_CIPHER_free(drbg->data.ctr.cipher_ctr);
OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
return 1;
}
@@ -370,7 +412,8 @@ int drbg_ctr_init(RAND_DRBG *drbg)
{
RAND_DRBG_CTR *ctr = &drbg->data.ctr;
size_t keylen;
- EVP_CIPHER *cipher = NULL;
+ EVP_CIPHER *cipher_ecb = NULL;
+ EVP_CIPHER *cipher_ctr = NULL;
switch (drbg->type) {
default:
@@ -378,30 +421,41 @@ int drbg_ctr_init(RAND_DRBG *drbg)
return 0;
case NID_aes_128_ctr:
keylen = 16;
- cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-128-ECB", "");
+ cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-128-ECB", "");
+ cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-128-CTR", "");
break;
case NID_aes_192_ctr:
keylen = 24;
- cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-192-ECB", "");
+ cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-192-ECB", "");
+ cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-192-CTR", "");
break;
case NID_aes_256_ctr:
keylen = 32;
- cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-256-ECB", "");
+ cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-256-ECB", "");
+ cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-256-CTR", "");
break;
}
- if (cipher == NULL)
+ if (cipher_ecb == NULL || cipher_ctr == NULL)
return 0;
- EVP_CIPHER_free(ctr->cipher);
- ctr->cipher = cipher;
-
- drbg->meth = &drbg_ctr_meth;
+ EVP_CIPHER_free(ctr->cipher_ecb);
+ ctr->cipher_ecb = cipher_ecb;
+ EVP_CIPHER_free(ctr->cipher_ctr);
+ ctr->cipher_ctr = cipher_ctr;
ctr->keylen = keylen;
- if (ctr->ctx == NULL)
- ctr->ctx = EVP_CIPHER_CTX_new();
- if (ctr->ctx == NULL)
+ if (ctr->ctx_ecb == NULL)
+ ctr->ctx_ecb = EVP_CIPHER_CTX_new();
+ if (ctr->ctx_ctr == NULL)
+ ctr->ctx_ctr = EVP_CIPHER_CTX_new();
+ if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL
+ || !EVP_CipherInit_ex(ctr->ctx_ecb,
+ ctr->cipher_ecb, NULL, NULL, NULL, 1)
+ || !EVP_CipherInit_ex(ctr->ctx_ctr,
+ ctr->cipher_ctr, NULL, NULL, NULL, 1))
return 0;
+
+ drbg->meth = &drbg_ctr_meth;
drbg->strength = keylen * 8;
drbg->seedlen = keylen + 16;
@@ -419,7 +473,8 @@ int drbg_ctr_init(RAND_DRBG *drbg)
if (ctr->ctx_df == NULL)
return 0;
/* Set key schedule for df_key */
- if (!EVP_CipherInit_ex(ctr->ctx_df, ctr->cipher, NULL, df_key, NULL, 1))
+ if (!EVP_CipherInit_ex(ctr->ctx_df,
+ ctr->cipher_ecb, NULL, df_key, NULL, 1))
return 0;
drbg->min_entropylen = ctr->keylen;
diff --git a/crypto/rand/rand_local.h b/crypto/rand/rand_local.h
index ce16892531..646c0c33fd 100644
--- a/crypto/rand/rand_local.h
+++ b/crypto/rand/rand_local.h
@@ -175,9 +175,11 @@ typedef struct rand_drbg_hmac_st {
* The state of a DRBG AES-CTR.
*/
typedef struct rand_drbg_ctr_st {
- EVP_CIPHER_CTX *ctx;
+ EVP_CIPHER_CTX *ctx_ecb;
+ EVP_CIPHER_CTX *ctx_ctr;
EVP_CIPHER_CTX *ctx_df;
- EVP_CIPHER *cipher;
+ EVP_CIPHER *cipher_ecb;
+ EVP_CIPHER *cipher_ctr;
size_t keylen;
unsigned char K[32];
unsigned char V[16];
diff --git a/test/build.info b/test/build.info
index fcf2ac57ac..6f00d1a141 100644
--- a/test/build.info
+++ b/test/build.info
@@ -49,8 +49,7 @@ IF[{- !$disabled{tests} -}]
cipherbytes_test \
asn1_encode_test asn1_decode_test asn1_string_table_test \
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
- recordlentest drbgtest sslbuffertest \
- recordlentest drbgtest drbg_cavs_test sslbuffertest \
+ recordlentest drbgtest drbg_cavs_test drbg_extra_test sslbuffertest \
time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \
servername_test ocspapitest fatalerrtest tls13ccstest \
sysdefaulttest errtest ssl_ctx_test gosttest \
@@ -357,6 +356,10 @@ IF[{- !$disabled{tests} -}]
INCLUDE[drbg_cavs_test]=../include ../apps/include . .. ../crypto/include
DEPEND[drbg_cavs_test]=../libcrypto libtestutil.a
+ SOURCE[drbg_extra_test]=drbg_extra_test.c
+ INCLUDE[drbg_extra_test]=../include . .. ../apps/include
+ DEPEND[drbg_extra_test]=../libcrypto libtestutil.a
+
SOURCE[x509_dup_cert_test]=x509_dup_cert_test.c
INCLUDE[x509_dup_cert_test]=../include ../apps/include
DEPEND[x509_dup_cert_test]=../libcrypto libtestutil.a
diff --git a/test/drbg_extra_test.c b/test/drbg_extra_test.c
new file mode 100644
index 0000000000..642f744932
--- /dev/null
+++ b/test/drbg_extra_test.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include "internal/nelem.h"
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/obj_mac.h>
+#include <openssl/evp.h>
+#include <openssl/aes.h>
+#include "../crypto/rand/rand_local.h"
+
+#include "testutil.h"
+#include "drbg_extra_test.h"
+
+static unsigned char zerobuff[32];
+
+static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance)
+{
+ *pout = zerobuff;
+ return sizeof(zerobuff);
+}
+
+static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ *pout = zerobuff;
+ return sizeof(zerobuff);
+}
+
+static int run_extra_kat(const struct drbg_extra_kat *td)
+{
+ unsigned long long i;
+ RAND_DRBG *drbg = NULL;
+ unsigned char buff[BUFFSIZE];
+ unsigned int flags = 0;
+ int failures = 0;
+
+ if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, flags, NULL)))
+ return 0;
+
+ /* Set deterministic entropy callback. */
+ if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+ kat_nonce, NULL))) {
+ failures++;
+ goto err;
+ }
+
+ /* Set fixed reseed intervall. */
+ if (!TEST_true(RAND_DRBG_set_reseed_interval(drbg, RESEEDINTERVAL))) {
+ failures++;
+ goto err;
+ }
+
+ if (!TEST_true(RAND_DRBG_instantiate(drbg, NULL, 0)))
+ failures++;
+
+ for (i = 0; i < td->ngen; i++) {
+ if(!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL,
+ 0)))
+ failures++;
+ }
+
+ if (!TEST_true(RAND_DRBG_uninstantiate(drbg))
+ || !TEST_mem_eq(td->expected, sizeof(buff), buff, sizeof(buff)))
+ failures++;
+
+err:
+ if (drbg != NULL) {
+ RAND_DRBG_uninstantiate(drbg);
+ RAND_DRBG_free(drbg);
+ }
+ return failures == 0;
+}
+
+static int test_extra_kats(int i)
+{
+ return run_extra_kat(drbg_extra_test[i]);
+}
+
+int setup_tests(void)
+{
+ ADD_ALL_TESTS(test_extra_kats, OSSL_NELEM(drbg_extra_test));
+ return 1;
+}
diff --git a/test/drbg_extra_test.h b/test/drbg_extra_test.h
new file mode 100644
index 0000000000..4c771573d1
--- /dev/null
+++ b/test/drbg_extra_test.h
@@ -0,0 +1,188 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Self generated known answer test (KATs) for NIST SP800-90A AES CTR_DRBG.
+ * Test overflow of V after |ngen| generate operation.
+ */
+
+#include <stddef.h>
+
+#ifndef DRBG_EXTRA_TEST_H
+# define DRBG_EXTRA_TEST_H
+
+# define BUFFSIZE 512
+# define RESEEDINTERVAL ((1 << 24) - 1)
+
+struct drbg_extra_kat {
+ int nid;
+ const unsigned char *expected;
+ unsigned long long ngen;
+};
+
+static const unsigned char expected128[BUFFSIZE] = {
+ 0x39, 0x10, 0x06, 0x64, 0x68, 0x7d, 0x77, 0x64, 0xf9, 0xb8, 0xe8, 0x3c,
+ 0x55, 0xb0, 0xf1, 0x8c, 0xeb, 0x11, 0x23, 0x50, 0x15, 0x28, 0x44, 0x38,
+ 0x84, 0x47, 0x7b, 0xc2, 0x78, 0x16, 0x73, 0x57, 0x9f, 0x01, 0x57, 0xf0,
+ 0x17, 0x14, 0xa3, 0xa8, 0xdf, 0x3b, 0x87, 0x78, 0x37, 0xf8, 0x53, 0x23,
+ 0x18, 0xd2, 0xbc, 0x82, 0xc5, 0xed, 0x51, 0x84, 0x30, 0x14, 0xaa, 0x01,
+ 0xb8, 0xb5, 0xed, 0x33, 0x14, 0xe7, 0x6c, 0xa7, 0x38, 0x02, 0x60, 0x69,
+ 0x52, 0x0f, 0x5b, 0x7f, 0x4c, 0x82, 0x25, 0x05, 0x10, 0xaa, 0xd5, 0xc6,
+ 0xac, 0x44, 0x7c, 0xef, 0x0f, 0x69, 0xc7, 0x4d, 0x07, 0x54, 0x83, 0xb5,
+ 0xf2, 0x05, 0x0f, 0x69, 0xfd, 0x85, 0x8f, 0x63, 0x27, 0xe6, 0xff, 0xa5,
+ 0x26, 0xd9, 0xf0, 0x8b, 0x31, 0x89, 0xbc, 0x51, 0xb8, 0x62, 0x06, 0x88,
+ 0xe7, 0x95, 0xa7, 0x69, 0x7d, 0x43, 0x9c, 0x2b, 0x3c, 0x59, 0x9f, 0xa9,
+ 0x63, 0xa3, 0x80, 0x1b, 0xe9, 0x96, 0x6b, 0xde, 0xf2, 0xdb, 0x0c, 0x07,
+ 0x22, 0xb1, 0x30, 0xd0, 0x08, 0x66, 0x23, 0x31, 0x63, 0xd2, 0x86, 0xbf,
+ 0x6e, 0xcb, 0x44, 0xb7, 0x6a, 0x44, 0xac, 0xe6, 0x53, 0x0b, 0x32, 0x20,
+ 0xb6, 0xcb, 0x10, 0x22, 0x57, 0xa5, 0x7f, 0x7d, 0x9e, 0x83, 0xb9, 0xdb,
+ 0x27, 0x1b, 0x04, 0xf5, 0x67, 0x94, 0x6e, 0x44, 0xba, 0x77, 0xc2, 0xf6,
+ 0x6a, 0xcd, 0xfa, 0x71, 0x44, 0x07, 0x5e, 0x09, 0x6f, 0x42, 0x5c, 0x06,
+ 0x55, 0x4f, 0xae, 0xc7, 0x53, 0x73, 0x89, 0x80, 0x2d, 0x5a, 0x73, 0x3c,
+ 0x11, 0x8f, 0x76, 0xa1, 0x3b, 0xb6, 0xbe, 0x6b, 0xd2, 0x1f, 0xa7, 0x63,
+ 0x7c, 0x99, 0x46, 0x3d, 0x6b, 0x0d, 0x2a, 0xfe, 0x10, 0x00, 0x77, 0x43,
+ 0x5b, 0xd0, 0x52, 0x79, 0x8d, 0x1d, 0xfd, 0xe2, 0x9a, 0xac, 0x5c, 0x77,
+ 0x69, 0x68, 0xec, 0xf1, 0x92, 0xa8, 0xb7, 0x26, 0xcd, 0x64, 0xef, 0x8f,
+ 0x55, 0xa0, 0x83, 0x3f, 0x27, 0xf0, 0x34, 0xc3, 0x61, 0x74, 0xf9, 0x44,
+ 0x2d, 0xe1, 0xb3, 0xad, 0x02, 0xc2, 0x45, 0x40, 0x40, 0xc0, 0x0f, 0x05,
+ 0x72, 0xdb, 0x71, 0xae, 0x84, 0x4c, 0x3d, 0xd0, 0x61, 0x5d, 0x79, 0x52,
+ 0x16, 0xb1, 0x02, 0x07, 0xaf, 0xfa, 0x9a, 0xe0, 0x21, 0xbf, 0x1c, 0xc4,
+ 0x21, 0xf9, 0x76, 0x95, 0xc4, 0x92, 0x57, 0xb7, 0x1e, 0xce, 0xb8, 0xd5,
+ 0x1c, 0x68, 0x7c, 0xed, 0x8f, 0x45, 0x09, 0x0b, 0xef, 0x30, 0x68, 0xab,
+ 0x5f, 0x26, 0x4a, 0xf2, 0x8a, 0x55, 0x97, 0x3d, 0x1c, 0xa0, 0x33, 0x20,
+ 0x10, 0x9e, 0x10, 0x77, 0x93, 0xa2, 0xcb, 0x72, 0x33, 0xf3, 0x6f, 0xdc,
+ 0x41, 0x46, 0x83, 0xb1, 0x59, 0x22, 0xf0, 0x9b, 0x9f, 0x50, 0x9f, 0x14,
+ 0x2e, 0xe0, 0xb8, 0xa3, 0xf7, 0x40, 0x9d, 0xe0, 0x76, 0x78, 0xa6, 0xd4,
+ 0xf6, 0xd4, 0x29, 0x33, 0x97, 0x76, 0x54, 0xdf, 0x3e, 0xf0, 0x82, 0x9f,
+ 0x4f, 0xf1, 0x0b, 0x0a, 0x61, 0xa2, 0x3f, 0xde, 0xda, 0xfe, 0x93, 0xe1,
+ 0x51, 0x19, 0x93, 0x8c, 0xc0, 0x07, 0x76, 0xdb, 0x4a, 0x9c, 0xef, 0x42,
+ 0x5f, 0x7b, 0x5b, 0x2c, 0xff, 0xe7, 0x5f, 0x6d, 0xcb, 0x7e, 0x9b, 0xc9,
+ 0xf3, 0x94, 0xe9, 0x73, 0xd6, 0xa3, 0x00, 0x7d, 0x11, 0xf8, 0xd6, 0x58,
+ 0x97, 0x3e, 0xdf, 0xb9, 0xd5, 0x57, 0xde, 0x51, 0x9e, 0x39, 0x5d, 0x59,
+ 0xe5, 0x50, 0x29, 0x3e, 0x58, 0x90, 0x37, 0xa6, 0xcc, 0x06, 0x89, 0xb1,
+ 0xa6, 0xa7, 0xef, 0x96, 0x30, 0xf5, 0xc1, 0xea, 0x03, 0xde, 0x46, 0x9a,
+ 0x5f, 0xa2, 0x5d, 0xb6, 0x74, 0xfd, 0xbf, 0xde, 0x77, 0x8e, 0x3e, 0x90,
+ 0x55, 0x3b, 0x4d, 0x59, 0xde, 0x19, 0x43, 0xcd, 0x5d, 0x1b, 0xba, 0x29,
+ 0xa9, 0x59, 0xad, 0xef, 0x2d, 0x9c, 0x3b, 0xc0
+};
+static const struct drbg_extra_kat drbg_extra_test128 = {
+ NID_aes_128_ctr,
+ expected128,
+ 61335566ULL
+};
+
+static const unsigned char expected192[BUFFSIZE] = {
+ 0x19, 0x1b, 0xe3, 0xa9, 0x58, 0xb4, 0xcc, 0x3a, 0x3a, 0x06, 0x30, 0x6a,
+ 0xdc, 0x8c, 0x78, 0xb2, 0x1e, 0xb5, 0x83, 0xa0, 0x04, 0x72, 0xae, 0xed,
+ 0xae, 0x88, 0x7c, 0x63, 0x8b, 0xe6, 0x20, 0x9b, 0xb4, 0x04, 0x14, 0xa9,
+ 0x83, 0xce, 0xb4, 0xd1, 0x69, 0xc2, 0x00, 0xa5, 0xf4, 0x45, 0xdb, 0xa1,
+ 0xcb, 0xd7, 0xfe, 0xf7, 0x19, 0x5d, 0x4d, 0x26, 0x7d, 0x7a, 0x2f, 0xde,
+ 0xc1, 0xb3, 0x8e, 0x3e, 0x19, 0xd1, 0xff, 0x25, 0x9b, 0x81, 0x90, 0x11,
+ 0x71, 0xb6, 0x08, 0x46, 0x76, 0x58, 0xca, 0x78, 0xae, 0xc3, 0x90, 0x29,
+ 0x07, 0x07, 0x85, 0x9d, 0x90, 0xd9, 0xf5, 0x5a, 0x8d, 0x28, 0x87, 0xd3,
+ 0x88, 0xd1, 0x14, 0xc1, 0xa8, 0x96, 0xa3, 0x7e, 0x6b, 0xe4, 0x1d, 0xf6,
+ 0x0d, 0xfb, 0x3d, 0xee, 0xa9, 0x8c, 0x70, 0xc9, 0x3f, 0x87, 0xad, 0x57,
+ 0xd9, 0xe3, 0x4e, 0xfc, 0x03, 0xeb, 0x79, 0xb8, 0xb9, 0xe9, 0xe4, 0x55,
+ 0x78, 0x4b, 0xdb, 0xfa, 0xb6, 0x5e, 0x1e, 0x5b, 0xab, 0x11, 0x35, 0x3c,
+ 0x97, 0x10, 0x0d, 0x7e, 0x68, 0x47, 0x1a, 0xd0, 0x59, 0xac, 0x41, 0x61,
+ 0x8e, 0xfc, 0xd1, 0x12, 0xf6, 0x81, 0x44, 0x5c, 0x78, 0xe4, 0x32, 0x2f,
+ 0xa5, 0x4c, 0x6e, 0xf8, 0xbf, 0x35, 0xc2, 0x66, 0xc0, 0x04, 0x77, 0x2e,
+ 0x1d, 0xe9, 0xc9, 0x8f, 0xca, 0xd7, 0x2a, 0xf0, 0x35, 0x34, 0x3a, 0xf6,
+ 0x7e, 0x0d, 0xc6, 0xc2, 0x4a, 0xd0, 0x91, 0x5d, 0xf5, 0x47, 0xdb, 0x32,
+ 0x88, 0x52, 0x98, 0xf0, 0xca, 0xc9, 0x57, 0x34, 0x10, 0xca, 0xfa, 0x9d,
+ 0x23, 0x61, 0x41, 0x55, 0xc8, 0x65, 0xa4, 0x4e, 0xa5, 0x8b, 0x1a, 0xdc,
+ 0x14, 0x80, 0x26, 0xe7, 0x72, 0x98, 0x90, 0x14, 0x01, 0x52, 0xa4, 0x9f,
+ 0x55, 0xe4, 0xaa, 0x15, 0x20, 0xd4, 0x34, 0x3f, 0x36, 0xce, 0x93, 0x5d,
+ 0x7b, 0x49, 0x29, 0x3f, 0xef, 0x78, 0xe9, 0x2e, 0x4c, 0x87, 0xa1, 0xb6,
+ 0x28, 0xb7, 0xa3, 0xb4, 0x49, 0x84, 0xf5, 0x5d, 0x24, 0x7d, 0x57, 0x57,
+ 0x79, 0xf5, 0xa1, 0x67, 0x5b, 0x8c, 0x59, 0x43, 0x3a, 0x1f, 0x10, 0x51,
+ 0x57, 0xa0, 0xe5, 0x18, 0xba, 0xdd, 0xca, 0x2d, 0xa9, 0xc5, 0xef, 0xad,
+ 0x7e, 0xd5, 0x17, 0xa3, 0x66, 0xe0, 0x93, 0x00, 0xda, 0xfc, 0x90, 0x89,
+ 0x64, 0x01, 0x10, 0x6a, 0xe7, 0x51, 0x7e, 0x5c, 0x16, 0x87, 0x4a, 0xc2,
+ 0x04, 0x27, 0x5c, 0x71, 0xdb, 0xcb, 0xb4, 0x70, 0xfc, 0x5e, 0xfb, 0xce,
+ 0xba, 0xc8, 0x20, 0x80, 0x5d, 0x73, 0xdb, 0xb4, 0x30, 0x8b, 0xfc, 0xcf,
+ 0xd1, 0x09, 0xa1, 0x93, 0xa3, 0x3e, 0x86, 0x76, 0x86, 0x5a, 0xa4, 0xba,
+ 0xda, 0xb8, 0x03, 0x1d, 0x69, 0x99, 0x29, 0xef, 0xe1, 0x7b, 0x6a, 0xd3,
+ 0x95, 0x9e, 0x98, 0x5a, 0x39, 0xb0, 0xde, 0x53, 0x49, 0x09, 0x7d, 0xdd,
+ 0x89, 0xed, 0x90, 0xc6, 0xa3, 0x8c, 0xe6, 0x15, 0x2f, 0x5a, 0x47, 0x8a,
+ 0x66, 0xf7, 0x1f, 0x38, 0x9e, 0xae, 0x9b, 0x46, 0x71, 0x96, 0x21, 0xbf,
+ 0x9f, 0x8e, 0x60, 0x2c, 0xda, 0xd6, 0x38, 0xf0, 0xc5, 0xe6, 0x27, 0x4b,
+ 0xfa, 0xc2, 0x13, 0x1a, 0x6b, 0xf5, 0x47, 0x97, 0x2f, 0xd0, 0x34, 0xe7,
+ 0x71, 0x9f, 0x8b, 0xc7, 0x22, 0xec, 0x97, 0x38, 0xe2, 0x07, 0x2b, 0x02,
+ 0x76, 0xf7, 0xb5, 0xdc, 0x55, 0xaf, 0x8e, 0xe6, 0x92, 0x57, 0x82, 0x82,
+ 0xf2, 0x1e, 0x10, 0x37, 0x40, 0xc4, 0x91, 0x25, 0xa7, 0x5c, 0xed, 0x1b,
+ 0x61, 0xc7, 0xc4, 0x47, 0xac, 0xe5, 0xb8, 0x7b, 0xdc, 0xfc, 0xaa, 0xd4,
+ 0x0c, 0xcc, 0x93, 0xee, 0x69, 0xd7, 0x35, 0xcf, 0xd7, 0x47, 0x05, 0xfc,
+ 0x88, 0xeb, 0x29, 0x0b, 0x62, 0x8e, 0x51, 0xb0, 0xd6, 0x71, 0xa0, 0xf2,
+ 0x17, 0x74, 0x1a, 0x2d, 0x4f, 0xb0, 0xd9, 0x8b
+};
+static const struct drbg_extra_kat drbg_extra_test192 = {
+ NID_aes_192_ctr,
+ expected192,
+ 10132467ULL
+};
+
+static const unsigned char expected256[BUFFSIZE] = {
+ 0x3f, 0x6d, 0x24, 0x4d, 0xe8, 0xdf, 0x93, 0xe5, 0xde, 0x4f, 0xba, 0x25,
+ 0x9c, 0x97, 0xfa, 0xbb, 0x78, 0x6f, 0xe7, 0xce, 0x74, 0x66, 0xa3, 0x81,
+ 0xf1, 0x0e, 0xf9, 0xea, 0xb6, 0xfc, 0xc2, 0xc5, 0xf0, 0x25, 0x0d, 0x45,
+ 0x45, 0x8a, 0x3e, 0xf2, 0x93, 0xf3, 0x2c, 0x41, 0x46, 0x2d, 0x58, 0x56,
+ 0x7e, 0x6a, 0x5c, 0x8a, 0x51, 0x3f, 0xd1, 0x76, 0x09, 0x6d, 0xf4, 0xf0,
+ 0x01, 0x8f, 0x60, 0x68, 0x9c, 0x52, 0xb2, 0xb1, 0xd2, 0x3e, 0x07, 0x10,
+ 0xab, 0x6c, 0xc9, 0x78, 0x22, 0xf4, 0xde, 0xbc, 0xee, 0x23, 0xa9, 0xb5,
+ 0x81, 0x2c, 0x4c, 0xf7, 0xd6, 0x35, 0x53, 0x1f, 0x66, 0x42, 0x1d, 0x7a,
+ 0x6d, 0x6e, 0x56, 0x8d, 0xbc, 0x03, 0xac, 0x76, 0x6c, 0x46, 0x4a, 0x80,
+ 0x87, 0x97, 0x62, 0xc6, 0xe8, 0x21, 0x35, 0xbd, 0x1d, 0x17, 0x28, 0x80,
+ 0x79, 0x6a, 0xe0, 0xc5, 0x33, 0x51, 0x38, 0xa6, 0xdf, 0x8d, 0xf6, 0xb3,
+ 0x69, 0x4f, 0x3b, 0xb2, 0xb1, 0x8e, 0x28, 0x8a, 0x3b, 0xba, 0x80, 0x43,
+ 0x7a, 0x92, 0x5e, 0x11, 0xd7, 0x4a, 0x8d, 0xa5, 0xee, 0x7c, 0x30, 0x69,
+ 0x7c, 0x27, 0x0f, 0xb8, 0x10, 0xd4, 0x32, 0x5f, 0xad, 0x27, 0xf4, 0xf1,
+ 0x31, 0xfe, 0x41, 0x08, 0x8c, 0x09, 0xe5, 0x9c, 0x55, 0x97, 0xa5, 0x38,
+ 0x7f, 0x72, 0x5b, 0x0a, 0xb3, 0x44, 0x2d, 0x4f, 0x65, 0xba, 0x74, 0x0c,
+ 0x35, 0x2f, 0x57, 0xfb, 0x21, 0x9c, 0x80, 0x2a, 0xd8, 0x0d, 0x56, 0xa7,
+ 0x99, 0x8b, 0xd9, 0xaf, 0x6f, 0x45, 0x06, 0x94, 0xf5, 0x6f, 0x56, 0x32,
+ 0x3d, 0x6c, 0xd6, 0x91, 0x30, 0x88, 0xdd, 0x61, 0x79, 0xa8, 0xac, 0x03,
+ 0xcf, 0x1c, 0x53, 0xd4, 0xdf, 0x6f, 0x39, 0x9c, 0x9f, 0xa9, 0xb5, 0x8c,
+ 0x8b, 0xc3, 0x20, 0x89, 0x5e, 0xf9, 0x74, 0x0c, 0xda, 0x7b, 0x2a, 0x22,
+ 0xa4, 0xcc, 0x00, 0x78, 0x66, 0x5e, 0xe5, 0x49, 0x5b, 0x3e, 0xfe, 0x85,
+ 0xcd, 0x9a, 0xa7, 0xcd, 0xb0, 0xf1, 0x2b, 0xe7, 0x3b, 0x23, 0x09, 0xb2,
+ 0x26, 0x66, 0x6c, 0x64, 0xd9, 0x35, 0x69, 0xd4, 0xfe, 0xc1, 0x3f, 0xbd,
+ 0xf3, 0x15, 0x15, 0x83, 0x1f, 0x92, 0x5f, 0x25, 0x0b, 0x1f, 0x54, 0xeb,
+ 0xfc, 0x40, 0x96, 0xb4, 0x71, 0x2a, 0x3b, 0xa3, 0x94, 0xfa, 0x41, 0xfa,
+ 0x43, 0x4e, 0xf1, 0x85, 0xc4, 0x2d, 0x40, 0xf0, 0x1a, 0x0d, 0x88, 0xf2,
+ 0xd4, 0x1f, 0x9d, 0x80, 0x69, 0x56, 0xb1, 0xa4, 0xcb, 0xa1, 0x35, 0x98,
+ 0xda, 0xa4, 0xa3, 0x6d, 0xd8, 0x01, 0x98, 0xe0, 0x2e, 0x13, 0xc2, 0x7d,
+ 0x74, 0x6a, 0x62, 0x7a, 0xef, 0x93, 0x65, 0x94, 0x37, 0xa6, 0x5b, 0xcb,
+ 0x23, 0xe6, 0x23, 0x3d, 0xa5, 0x7e, 0x30, 0x59, 0x36, 0x85, 0xee, 0xfb,
+ 0xe8, 0x33, 0x3c, 0xf5, 0xc3, 0x4e, 0xf2, 0xc4, 0x70, 0xc8, 0x4f, 0x00,
+ 0x39, 0x7d, 0x20, 0x7f, 0x72, 0x57, 0xd9, 0xb9, 0xf6, 0xfe, 0xf2, 0x50,
+ 0x44, 0xed, 0x53, 0xdc, 0xd6, 0xd5, 0x1f, 0x94, 0xea, 0x62, 0x9e, 0x64,
+ 0x23, 0xd6, 0x6d, 0x8a, 0x6e, 0xfb, 0xc2, 0xb3, 0x7e, 0x72, 0x26, 0xad,
+ 0x31, 0x30, 0x81, 0xb7, 0x62, 0x10, 0xaf, 0x8e, 0x45, 0x74, 0x6e, 0x8f,
+ 0x07, 0x5a, 0xfe, 0xe3, 0xa7, 0xe8, 0x47, 0x80, 0x7e, 0x1d, 0xb5, 0x8c,
+ 0xab, 0xcb, 0x0b, 0x95, 0xb2, 0x95, 0x64, 0x5e, 0xea, 0x42, 0x14, 0x6f,
+ 0x6b, 0xe4, 0x81, 0x51, 0x78, 0xb4, 0x0e, 0x0c, 0x6e, 0x22, 0x31, 0xb2,
+ 0x50, 0xd9, 0x78, 0xc6, 0xfa, 0xa4, 0xb6, 0xf4, 0x17, 0x20, 0xbe, 0xe3,
+ 0x69, 0xfa, 0x6c, 0xb9, 0x98, 0xad, 0xca, 0xba, 0x72, 0xa2, 0x22, 0x4c,
+ 0x0a, 0xb3, 0x6d, 0x9b, 0x11, 0x8a, 0x59, 0x06, 0xf1, 0xda, 0x43, 0xc2,
+ 0xae, 0xb0, 0x80, 0x35, 0x86, 0xbf, 0xf0, 0x8c
+};
+static const struct drbg_extra_kat drbg_extra_test256 = {
+ NID_aes_256_ctr,
+ expected256,
+ 40870394ULL
+};
+
+static const struct drbg_extra_kat *drbg_extra_test[] = {
+ &drbg_extra_test128,
+ &drbg_extra_test192,
+ &drbg_extra_test256,
+};
+
+#endif
diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t
index f376edd18a..70035e9b27 100644
--- a/test/recipes/05-test_rand.t
+++ b/test/recipes/05-test_rand.t
@@ -15,3 +15,5 @@ setup("test_rand");
ok(run(test(["drbgtest"])));
ok(run(test(["drbg_cavs_test"])));
+# commented out due to long running time
+#ok(run(test(["drbg_extra_test"])));
More information about the openssl-commits
mailing list