fips rand: DRBG KAT self test updates to provider model.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

4 files changed, 68 insertions, 61 deletions

diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c
index 80759cbfaf..ee33cfa631 100644
--- a/crypto/rand/drbg_lib.c
+++ b/crypto/rand/drbg_lib.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RAND_DRBG_set is deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
@@ -433,6 +439,7 @@ void RAND_DRBG_free(RAND_DRBG *drbg)
         return;
 
     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RAND_DRBG, drbg, &drbg->ex_data);
+    EVP_RAND_CTX_free(drbg->rand);
     OPENSSL_free(drbg);
 }
 
diff --git a/include/openssl/rand_drbg.h b/include/openssl/rand_drbg.h
index fd708d397c..f8517b8ecd 100644
--- a/include/openssl/rand_drbg.h
+++ b/include/openssl/rand_drbg.h
@@ -152,6 +152,8 @@ int RAND_DRBG_set_callback_data(RAND_DRBG *drbg, void *data);
 
 void *RAND_DRBG_get_callback_data(RAND_DRBG *drbg);
 
+int RAND_DRBG_verify_zeroization(RAND_DRBG *drbg);
+
 # ifdef  __cplusplus
 }
 # endif
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 674806edb2..17bfc950db 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -60,7 +60,8 @@ typedef struct st_kat_kdf_st {
 typedef struct st_kat_drbg_st {
     const char *desc;
     const char *algorithm;
-    int nid;
+    const char *param_name;
+    char *param_value;
     const unsigned char *entropyin;
     size_t entropyinlen;
     const unsigned char *nonce;
@@ -458,8 +459,7 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
 {
     {
         OSSL_SELF_TEST_DESC_DRBG_HASH,
-        "SHA256",
-        NID_sha256,
+        "HASH-DRBG", "digest", "SHA256",
         ITM(drbg_hash_sha256_pr_entropyin),
         ITM(drbg_hash_sha256_pr_nonce),
         ITM(drbg_hash_sha256_pr_persstr),
@@ -471,8 +471,7 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
     },
     {
         OSSL_SELF_TEST_DESC_DRBG_CTR,
-        "AES-128",
-        NID_aes_128_ctr,
+        "CTR-DRBG", "cipher", "AES-128-CTR",
         ITM(drbg_ctr_aes128_pr_df_entropyin),
         ITM(drbg_ctr_aes128_pr_df_nonce),
         ITM(drbg_ctr_aes128_pr_df_persstr),
@@ -484,8 +483,7 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
     },
     {
         OSSL_SELF_TEST_DESC_DRBG_HMAC,
-        "SHA1",
-        NID_sha1,
+        "HMAC-DRBG", "digest", "SHA1",
         ITM(drbg_hmac_sha1_pr_entropyin),
         ITM(drbg_hmac_sha1_pr_nonce),
         ITM(drbg_hmac_sha1_pr_persstr),
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index 6b75f12e5c..6dc9dbc17f 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -10,17 +10,12 @@
 #include <string.h>
 #include <openssl/evp.h>
 #include <openssl/kdf.h>
-#include <openssl/rand_drbg.h>
 #include <openssl/core_names.h>
 #include <openssl/param_build.h>
 #include "internal/cryptlib.h"
 #include "internal/nelem.h"
 #include "self_test.h"
 #include "self_test_data.inc"
-#include "../../crypto/rand/rand_local.h"
-
-#define DRBG_PARAM_ENTROPY "DRBG-ENTROPY"
-#define DRBG_PARAM_NONCE   "DRBG-NONCE"
 
 static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
                             OPENSSL_CTX *libctx)
@@ -240,86 +235,90 @@ err:
     return ret;
 }
 
-static size_t drbg_kat_entropy_cb(RAND_DRBG *drbg, unsigned char **pout,
-                                  int entropy, size_t min_len, size_t max_len,
-                                  int prediction_resistance)
-{
-    OSSL_PARAM *drbg_params = RAND_DRBG_get_callback_data(drbg);
-    OSSL_PARAM *p = OSSL_PARAM_locate(drbg_params, DRBG_PARAM_ENTROPY);
-
-    if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING)
-        return 0;
-    *pout = (unsigned char *)p->data;
-    return p->data_size;
-}
-
-static size_t drbg_kat_nonce_cb(RAND_DRBG *drbg, unsigned char **pout,
-                                int entropy, size_t min_len, size_t max_len)
-{
-    OSSL_PARAM *drbg_params = RAND_DRBG_get_callback_data(drbg);
-    OSSL_PARAM *p = OSSL_PARAM_locate(drbg_params, DRBG_PARAM_NONCE);
-
-    if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING)
-        return 0;
-    *pout = (unsigned char *)p->data;
-    return p->data_size;
-}
-
 static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_SELF_TEST *st,
                           OPENSSL_CTX *libctx)
 {
     int ret = 0;
     unsigned char out[256];
-    RAND_DRBG *drbg = NULL;
-    unsigned int flags = 0;
+    EVP_RAND *rand;
+    EVP_RAND_CTX *test = NULL, *drbg = NULL;
+    unsigned int strength = 256;
     int prediction_resistance = 1; /* Causes a reseed */
     OSSL_PARAM drbg_params[3] = {
         OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
     };
-    static const unsigned char zero[sizeof(drbg->data)] = { 0 };
 
     OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_DRBG, t->desc);
 
-    if (strcmp(t->desc, OSSL_SELF_TEST_DESC_DRBG_HMAC) == 0)
-        flags |= RAND_DRBG_FLAG_HMAC;
+    rand = EVP_RAND_fetch(libctx, "TEST-RAND", NULL);
+    if (rand == NULL)
+        goto err;
 
-    drbg = RAND_DRBG_new_ex(libctx, t->nid, flags, NULL);
-    if (drbg == NULL)
+    test = EVP_RAND_CTX_new(rand, NULL);
+    EVP_RAND_free(rand);
+    if (test == NULL)
         goto err;
 
-    if (!RAND_DRBG_set_callback_data(drbg, drbg_params))
+    drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH,
+                                               &strength);
+    if (!EVP_RAND_set_ctx_params(test, drbg_params))
         goto err;
 
-    if (!RAND_DRBG_set_callbacks(drbg, drbg_kat_entropy_cb, NULL,
-                                 drbg_kat_nonce_cb, NULL))
+    rand = EVP_RAND_fetch(libctx, t->algorithm, NULL);
+    if (rand == NULL)
+        goto err;
+
+    drbg = EVP_RAND_CTX_new(rand, test);
+    EVP_RAND_free(rand);
+    if (drbg == NULL)
+        goto err;
+
+    strength = EVP_RAND_strength(drbg);
+
+    drbg_params[0] = OSSL_PARAM_construct_utf8_string(t->param_name,
+                                                      t->param_value, 0);
+    /* This is only used by HMAC-DRBG but it is ignored by the others */
+    drbg_params[1] =
+        OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_MAC, "HMAC", 0);
+    if (!EVP_RAND_set_ctx_params(drbg, drbg_params))
         goto err;
 
     drbg_params[0] =
-        OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
-                                          (void *)t->entropyin, t->entropyinlen);
+        OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
+                                          (void *)t->entropyin,
+                                          t->entropyinlen);
     drbg_params[1] =
-        OSSL_PARAM_construct_octet_string(DRBG_PARAM_NONCE,
+        OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE,
                                           (void *)t->nonce, t->noncelen);
-
-    if (!RAND_DRBG_instantiate(drbg, t->persstr, t->persstrlen))
+    if (!EVP_RAND_set_ctx_params(test, drbg_params)
+            || !EVP_RAND_instantiate(test, strength, 0, NULL, 0))
+        goto err;
+    if (!EVP_RAND_instantiate(drbg, strength, 0, t->persstr, t->persstrlen))
         goto err;
 
     drbg_params[0] =
-        OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
+        OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
                                           (void *)t->entropyinpr1,
                                           t->entropyinpr1len);
+    if (!EVP_RAND_set_ctx_params(test, drbg_params))
+        goto err;
 
-    if (!RAND_DRBG_generate(drbg, out, t->expectedlen, prediction_resistance,
-                            t->entropyaddin1, t->entropyaddin1len))
+    if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength,
+                           prediction_resistance,
+                           t->entropyaddin1, t->entropyaddin1len))
         goto err;
 
     drbg_params[0] =
-        OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
+        OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY,
                                          (void *)t->entropyinpr2,
                                          t->entropyinpr2len);
+    if (!EVP_RAND_set_ctx_params(test, drbg_params))
+        goto err;
+
     /* This calls RAND_DRBG_reseed() internally when prediction_resistance = 1 */
-    if (!RAND_DRBG_generate(drbg, out,  t->expectedlen, prediction_resistance,
-                            t->entropyaddin2, t->entropyaddin2len))
+    if (!EVP_RAND_generate(drbg, out, t->expectedlen, strength,
+                           prediction_resistance,
+                           t->entropyaddin2, t->entropyaddin2len))
         goto err;
 
     OSSL_SELF_TEST_oncorrupt_byte(st, out);
@@ -327,17 +326,18 @@ static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_SELF_TEST *st,
     if (memcmp(out, t->expected, t->expectedlen) != 0)
         goto err;
 
-    if (!RAND_DRBG_uninstantiate(drbg))
+    if (!EVP_RAND_uninstantiate(drbg))
         goto err;
     /*
      * Check that the DRBG data has been zeroized after RAND_DRBG_uninstantiate.
      */
-    if (memcmp((unsigned char *)&drbg->data, zero, sizeof(drbg->data)) != 0)
+    if (!EVP_RAND_verify_zeroization(drbg))
         goto err;
 
     ret = 1;
 err:
-    RAND_DRBG_free(drbg);
+    EVP_RAND_CTX_free(drbg);
+    EVP_RAND_CTX_free(test);
     OSSL_SELF_TEST_onend(st, ret);
     return ret;
 }