diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2011-09-09 17:16:43 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2011-09-09 17:16:43 +0000 |
commit | 7fdcb45745c01b90b256fe97e87eae31453e11e6 (patch) | |
tree | 8533f8d520850c5d4064f4f77c6c14559e7e9c82 | |
parent | e4588dc486b947cf243b64ceab31acb637d40233 (diff) |
Add support for Dual EC DRBG from SP800-90. Include updates to algorithm
tests and POST code.
-rw-r--r-- | CHANGES | 8 | ||||
-rw-r--r-- | fips/fips_test_suite.c | 10 | ||||
-rw-r--r-- | fips/fipsalgtest.pl | 1 | ||||
-rw-r--r-- | fips/rand/Makefile | 4 | ||||
-rw-r--r-- | fips/rand/fips_drbg_ec.c | 546 | ||||
-rw-r--r-- | fips/rand/fips_drbg_lib.c | 23 | ||||
-rw-r--r-- | fips/rand/fips_drbg_selftest.c | 15 | ||||
-rw-r--r-- | fips/rand/fips_drbg_selftest.h | 1462 | ||||
-rw-r--r-- | fips/rand/fips_drbgvs.c | 27 | ||||
-rw-r--r-- | fips/rand/fips_rand.h | 1 | ||||
-rw-r--r-- | fips/rand/fips_rand_lcl.h | 35 |
11 files changed, 2121 insertions, 11 deletions
@@ -4,11 +4,15 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] + *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test + and POST to handle Dual EC cases. + [Steve Henson] + *) Add support for canonical generation of DSA parameter 'g'. See FIPS 186-3 A.2.3. - *) Add support for HMAC DRBG from SP800-90. Update algorithm and POST - to handle HMAC cases. + *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and + POST to handle HMAC cases. [Steve Henson] *) Add functions FIPS_module_version() and FIPS_module_version_text() diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c index 6046ae0f86..4230c053c8 100644 --- a/fips/fips_test_suite.c +++ b/fips/fips_test_suite.c @@ -698,6 +698,9 @@ POST_ID id_list[] = { {NID_aes_256_xts, "AES-256-XTS"}, {NID_des_ede3_cbc, "DES-EDE3-CBC"}, {NID_des_ede3_ecb, "DES-EDE3-ECB"}, + {NID_X9_62_prime256v1, "P-256"}, + {NID_secp384r1, "P-384"}, + {NID_secp521r1, "P-521"}, {0, NULL} }; @@ -788,6 +791,13 @@ static int post_cb(int op, int id, int subid, void *ex) sprintf(asctmp, "%s DF", lookup_id(subid)); exstr = asctmp; } + else if (subid >> 16) + { + sprintf(asctmp, "%s %s", + lookup_id(subid >> 16), + lookup_id(subid & 0xFFFF)); + exstr = asctmp; + } else exstr = lookup_id(subid); break; diff --git a/fips/fipsalgtest.pl b/fips/fipsalgtest.pl index 706cd30268..4ab2c962ee 100644 --- a/fips/fipsalgtest.pl +++ b/fips/fipsalgtest.pl @@ -434,6 +434,7 @@ my @fips_drbg_test_list = ( # SP800-90 DRBG tests "SP800-90 DRBG", [ "CTR_DRBG", "fips_drbgvs" ], + [ "Dual_EC_DRBG", "fips_drbgvs" ], [ "Hash_DRBG", "fips_drbgvs" ], [ "HMAC_DRBG", "fips_drbgvs" ] diff --git a/fips/rand/Makefile b/fips/rand/Makefile index 6890bd0f2a..26bc46b72a 100644 --- a/fips/rand/Makefile +++ b/fips/rand/Makefile @@ -23,10 +23,10 @@ APPS= LIB=$(TOP)/libcrypto.a LIBSRC= fips_rand.c fips_rand_selftest.c fips_drbg_lib.c \ - fips_drbg_hash.c fips_drbg_hmac.c fips_drbg_ctr.c \ + fips_drbg_hash.c fips_drbg_hmac.c fips_drbg_ctr.c fips_drbg_ec.c \ fips_drbg_selftest.c fips_drbg_rand.c fips_rand_lib.c LIBOBJ= fips_rand.o fips_rand_selftest.o fips_drbg_lib.o \ - fips_drbg_hash.o fips_drbg_hmac.o fips_drbg_ctr.o \ + fips_drbg_hash.o fips_drbg_hmac.o fips_drbg_ctr.o fips_drbg_ec.o \ fips_drbg_selftest.o fips_drbg_rand.o fips_rand_lib.o SRC= $(LIBSRC) diff --git a/fips/rand/fips_drbg_ec.c b/fips/rand/fips_drbg_ec.c new file mode 100644 index 0000000000..ee6fe074ec --- /dev/null +++ b/fips/rand/fips_drbg_ec.c @@ -0,0 +1,546 @@ +/* fips/rand/fips_drbg_ec.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#define OPENSSL_FIPSAPI + +#include <stdlib.h> +#include <string.h> +#include <openssl/crypto.h> +#include <openssl/fips.h> +#include <openssl/fips_rand.h> +#include <openssl/bn.h> +#include "fips_rand_lcl.h" + +/*#define EC_DRBG_TRACE*/ + +#ifdef EC_DRBG_TRACE +static void hexprint(FILE *out, const unsigned char *buf, int buflen) + { + int i; + fprintf(out, "\t"); + for (i = 0; i < buflen; i++) + fprintf(out, "%02X", buf[i]); + fprintf(out, "\n"); + } +static void bnprint(FILE *out, const char *name, const BIGNUM *b) + { + unsigned char *tmp; + int len; + len = BN_num_bytes(b); + tmp = OPENSSL_malloc(len); + BN_bn2bin(b, tmp); + fprintf(out, "%s\n", name); + hexprint(out, tmp, len); + OPENSSL_free(tmp); + } +#if 0 +static void ecprint(FILE *out, EC_GROUP *grp, EC_POINT *pt) + { + BIGNUM *x, *y; + x = BN_new(); + y = BN_new(); + EC_POINT_get_affine_coordinates_GFp(grp, pt, x, y, NULL); + bnprint(out, "\tPoint X: ", x); + bnprint(out, "\tPoint Y: ", y); + BN_free(x); + BN_free(y); + } +#endif +#endif + +/* This is Hash_df from SP 800-90 10.4.1 */ + +static int hash_df(DRBG_CTX *dctx, unsigned char *out, + const unsigned char *in1, size_t in1len, + const unsigned char *in2, size_t in2len, + const unsigned char *in3, size_t in3len) + { + DRBG_EC_CTX *ectx = &dctx->d.ec; + EVP_MD_CTX *mctx = &ectx->mctx; + unsigned char *vtmp = ectx->vtmp; + unsigned char tmp[6]; + size_t mdlen = M_EVP_MD_size(ectx->md); + /* Standard only ever needs seedlen bytes which is always less than + * maximum permitted so no need to check length. + */ + size_t outlen = dctx->seedlen; + size_t nbits = (outlen << 3) - ectx->exbits; + tmp[0] = 1; + tmp[1] = (nbits >> 24) & 0xff; + tmp[2] = (nbits >> 16) & 0xff; + tmp[3] = (nbits >> 8) & 0xff; + tmp[4] = nbits & 0xff; + if (!in1) + { + tmp[5] = (unsigned char)in1len; + in1 = tmp + 5; + in1len = 1; + } + for (;;) + { + if (!FIPS_digestinit(mctx, ectx->md)) + return 0; + if (!FIPS_digestupdate(mctx, tmp, 5)) + return 0; + if (in1 && !FIPS_digestupdate(mctx, in1, in1len)) + return 0; + if (in2 && !FIPS_digestupdate(mctx, in2, in2len)) + return 0; + if (in3 && !FIPS_digestupdate(mctx, in3, in3len)) + return 0; + if (outlen < mdlen) + { + if (!FIPS_digestfinal(mctx, vtmp, NULL)) + return 0; + memcpy(out, vtmp, outlen); + OPENSSL_cleanse(vtmp, mdlen); + return 1; + } + else if(!FIPS_digestfinal(mctx, out, NULL)) + return 0; + + outlen -= mdlen; + if (outlen == 0) + return 1; + tmp[0]++; + out += mdlen; + } + } + +static int bn2binpad(unsigned char *to, size_t tolen, BIGNUM *b) + { + size_t blen; + blen = BN_num_bytes(b); + /* If BIGNUM length greater than buffer, mask to get rightmost + * bytes. NB: modifies b but this doesn't matter for our purposes. + */ + if (blen > tolen) + { + BN_mask_bits(b, tolen << 3); + /* Update length because mask operation might create leading + * zeroes. + */ + blen = BN_num_bytes(b); + } + /* If b length smaller than buffer pad with zeroes */ + if (blen < tolen) + { + memset(to, 0, tolen - blen); + to += tolen - blen; + } + + /* This call cannot fail */ + BN_bn2bin(b, to); + return 1; + } +/* Convert buffer to a BIGNUM discarding extra bits if necessary */ +static int bin2bnbits(DRBG_CTX *dctx, BIGNUM *r, const unsigned char *buf) + { + DRBG_EC_CTX *ectx = &dctx->d.ec; + if (!BN_bin2bn(buf, dctx->seedlen, r)) + return 0; + /* If we have extra bits right shift off the end of r */ + if (ectx->exbits) + { + if (!BN_rshift(r, r, ectx->exbits)) + return 0; + } + return 1; + } + +/* Calculate r = phi(s * P) or r= phi(s * Q) */ + +static int drbg_ec_mul(DRBG_EC_CTX *ectx, BIGNUM *r, const BIGNUM *s, int use_q) + { + if (use_q) + { + if (!EC_POINT_mul(ectx->curve, ectx->ptmp, + NULL, ectx->Q, s, ectx->bctx)) + return 0; + } + else + { + if (!EC_POINT_mul(ectx->curve, ectx->ptmp, + s, NULL, NULL, ectx->bctx)) + return 0; + } + /* Get x coordinate of result */ + if (!EC_POINT_get_affine_coordinates_GFp(ectx->curve, ectx->ptmp, r, + NULL, ectx->bctx)) + return 0; + return 0; + } + +static int drbg_ec_instantiate(DRBG_CTX *dctx, + const unsigned char *ent, size_t ent_len, + const unsigned char *nonce, size_t nonce_len, + const unsigned char *pstr, size_t pstr_len) + { + DRBG_EC_CTX *ectx = &dctx->d.ec; + if (!hash_df(dctx, ectx->sbuf, + ent, ent_len, nonce, nonce_len, pstr, pstr_len)) + return 0; + if (!bin2bnbits(dctx, ectx->s, ectx->sbuf)) + return 0; + return 1; + } + + +static int drbg_ec_reseed(DRBG_CTX *dctx, + const unsigned char *ent, size_t ent_len, + const unsigned char *adin, size_t adin_len) + { + DRBG_EC_CTX *ectx = &dctx->d.ec; + /* Check if we have a deferred s = s * P */ + if (ectx->sp_defer) + { + if (drbg_ec_mul(ectx, ectx->s, ectx->s, 0)) + return 0; + ectx->sp_defer = 0; + } + /* Convert s value to a binary buffer. Save it to tbuf as we are + * about to overwrite it. + */ + if (ectx->exbits) + BN_lshift(ectx->s, ectx->s, ectx->exbits); + bn2binpad(ectx->tbuf, dctx->seedlen, ectx->s); + if (!hash_df(dctx, ectx->sbuf, ectx->tbuf, dctx->seedlen, + ent, ent_len, adin, adin_len)) + return 0; + if (!bin2bnbits(dctx, ectx->s, ectx->sbuf)) + return 0; + dctx->reseed_counter = 0; + return 1; + } + +static int drbg_ec_generate(DRBG_CTX *dctx, + unsigned char *out, size_t outlen, + const unsigned char *adin, size_t adin_len) + { + DRBG_EC_CTX *ectx = &dctx->d.ec; + BIGNUM *t, *r; + BIGNUM *s = ectx->s; + /* special case: check reseed interval */ + if (out == NULL) + { + size_t nb = (outlen + dctx->blocklength - 1)/dctx->blocklength; + if (dctx->reseed_counter + nb > dctx->reseed_interval) + dctx->status = DRBG_STATUS_RESEED; + return 1; + } + /* Check if we have a deferred s = s * P */ + if (ectx->sp_defer) + { + if (drbg_ec_mul(ectx, s, s, 0)) + goto err; + ectx->sp_defer = 0; + } + + BN_CTX_start(ectx->bctx); + t = BN_CTX_get(ectx->bctx); + r = BN_CTX_get(ectx->bctx); + if (!r) + goto err; + if (adin && adin_len) + { + size_t i; + /* Convert s to buffer */ + if (ectx->exbits) + BN_lshift(ectx->s, ectx->s, ectx->exbits); + bn2binpad(ectx->sbuf, dctx->seedlen, ectx->s); + /* Step 2 */ + if (!hash_df(dctx, ectx->tbuf, adin, adin_len, + NULL, 0, NULL, 0)) + goto err; + /* Step 5 */ + for (i = 0; i < dctx->seedlen; i++) + ectx->tbuf[i] ^= ectx->sbuf[i]; + if (!bin2bnbits(dctx, t, ectx->tbuf)) + return 0; + } + else + if (!BN_copy(t, ectx->s)) + goto err; + +#ifdef EC_DRBG_TRACE + bnprint(stderr, "s at start of generate: ", ectx->s); +#endif + + for (;;) + { + /* Step #6, calculate s = t * P */ + if (drbg_ec_mul(ectx, s, t, 0)) + goto err; +#ifdef EC_DRBG_TRACE + bnprint(stderr, "s in generate: ", ectx->s); +#endif + /* Step #7, calculate r = s * Q */ + if (drbg_ec_mul(ectx, r, s, 1)) + goto err; +#ifdef EC_DRBG_TRACE + bnprint(stderr, "r in generate is: ", r); +#endif + dctx->reseed_counter++; + /* Get rightmost bits of r to output buffer */ + + if (!(dctx->flags & DRBG_FLAG_TEST) && !dctx->lb_valid) + { + if (!bn2binpad(dctx->lb, dctx->blocklength, r)) + goto err; + dctx->lb_valid = 1; + continue; + } + if (outlen < dctx->blocklength) + { + if (!bn2binpad(ectx->vtmp, dctx->blocklength, r)) + goto err; + if (!fips_drbg_cprng_test(dctx, ectx->vtmp)) + goto err; + memcpy(out, ectx->vtmp, outlen); + break; + } + else + { + if (!bn2binpad(out, dctx->blocklength, r)) + goto err; + if (!fips_drbg_cprng_test(dctx, out)) + goto err; + } + outlen -= dctx->blocklength; + if (!outlen) + break; + out += dctx->blocklength; +#ifdef EC_DRBG_TRACE + fprintf(stderr, "Random bits written:\n"); + hexprint(stderr, out, dctx->blocklength); +#endif + } + /* Defer s = s * P until we need it */ + ectx->sp_defer = 1; +#ifdef EC_DRBG_TRACE + bnprint(stderr, "s after generate is: ", s); +#endif + BN_CTX_end(ectx->bctx); + return 1; + err: + BN_CTX_end(ectx->bctx); + return 0; + } + +static int drbg_ec_uninstantiate(DRBG_CTX *dctx) + { + DRBG_EC_CTX *ectx = &dctx->d.ec; + EVP_MD_CTX_cleanup(&ectx->mctx); + EC_GROUP_free(ectx->curve); + EC_POINT_free(ectx->Q); + EC_POINT_free(ectx->ptmp); + BN_clear_free(ectx->s); + BN_CTX_free(ectx->bctx); + OPENSSL_cleanse(&dctx->d.ec, sizeof(DRBG_EC_CTX)); + return 1; + } + +/* Q points from SP 800-90 A.1, P is generator */ + +static const unsigned char p_256_qx[] = { + 0xc9,0x74,0x45,0xf4,0x5c,0xde,0xf9,0xf0,0xd3,0xe0,0x5e,0x1e, + 0x58,0x5f,0xc2,0x97,0x23,0x5b,0x82,0xb5,0xbe,0x8f,0xf3,0xef, + 0xca,0x67,0xc5,0x98,0x52,0x01,0x81,0x92 +}; +static const unsigned char p_256_qy[] = { + 0xb2,0x8e,0xf5,0x57,0xba,0x31,0xdf,0xcb,0xdd,0x21,0xac,0x46, + 0xe2,0xa9,0x1e,0x3c,0x30,0x4f,0x44,0xcb,0x87,0x05,0x8a,0xda, + 0x2c,0xb8,0x15,0x15,0x1e,0x61,0x00,0x46 +}; + +static const unsigned char p_384_qx[] = { + 0x8e,0x72,0x2d,0xe3,0x12,0x5b,0xdd,0xb0,0x55,0x80,0x16,0x4b, + 0xfe,0x20,0xb8,0xb4,0x32,0x21,0x6a,0x62,0x92,0x6c,0x57,0x50, + 0x2c,0xee,0xde,0x31,0xc4,0x78,0x16,0xed,0xd1,0xe8,0x97,0x69, + 0x12,0x41,0x79,0xd0,0xb6,0x95,0x10,0x64,0x28,0x81,0x50,0x65 +}; +static const unsigned char p_384_qy[] = { + 0x02,0x3b,0x16,0x60,0xdd,0x70,0x1d,0x08,0x39,0xfd,0x45,0xee, + 0xc3,0x6f,0x9e,0xe7,0xb3,0x2e,0x13,0xb3,0x15,0xdc,0x02,0x61, + 0x0a,0xa1,0xb6,0x36,0xe3,0x46,0xdf,0x67,0x1f,0x79,0x0f,0x84, + 0xc5,0xe0,0x9b,0x05,0x67,0x4d,0xbb,0x7e,0x45,0xc8,0x03,0xdd +}; + +static const unsigned char p_521_qx[] = { + 0x01,0xb9,0xfa,0x3e,0x51,0x8d,0x68,0x3c,0x6b,0x65,0x76,0x36, + 0x94,0xac,0x8e,0xfb,0xae,0xc6,0xfa,0xb4,0x4f,0x22,0x76,0x17, + 0x1a,0x42,0x72,0x65,0x07,0xdd,0x08,0xad,0xd4,0xc3,0xb3,0xf4, + 0xc1,0xeb,0xc5,0xb1,0x22,0x2d,0xdb,0xa0,0x77,0xf7,0x22,0x94, + 0x3b,0x24,0xc3,0xed,0xfa,0x0f,0x85,0xfe,0x24,0xd0,0xc8,0xc0, + 0x15,0x91,0xf0,0xbe,0x6f,0x63 +}; +static const unsigned char p_521_qy[] = { + 0x01,0xf3,0xbd,0xba,0x58,0x52,0x95,0xd9,0xa1,0x11,0x0d,0x1d, + 0xf1,0xf9,0x43,0x0e,0xf8,0x44,0x2c,0x50,0x18,0x97,0x6f,0xf3, + 0x43,0x7e,0xf9,0x1b,0x81,0xdc,0x0b,0x81,0x32,0xc8,0xd5,0xc3, + 0x9c,0x32,0xd0,0xe0,0x04,0xa3,0x09,0x2b,0x7d,0x32,0x7c,0x0e, + 0x7a,0x4d,0x26,0xd2,0xc7,0xb6,0x9b,0x58,0xf9,0x06,0x66,0x52, + 0x91,0x1e,0x45,0x77,0x79,0xde +}; + +int fips_drbg_ec_init(DRBG_CTX *dctx) + { + const EVP_MD *md; + const unsigned char *Q_x, *Q_y; + BIGNUM *x, *y; + size_t ptlen; + int md_nid = dctx->type & 0xffff; + int curve_nid = dctx->type >> 16; + DRBG_EC_CTX *ectx = &dctx->d.ec; + md = FIPS_get_digestbynid(md_nid); + if (!md) + return -2; + + /* These are taken from SP 800-90 10.3.1 table 4 */ + switch (curve_nid) + { + case NID_X9_62_prime256v1: + dctx->strength = 128; + dctx->seedlen = 32; + dctx->blocklength = 30; + ectx->exbits = 0; + Q_x = p_256_qx; + Q_y = p_256_qy; + ptlen = sizeof(p_256_qx); + break; + + case NID_secp384r1: + if (md_nid == NID_sha1) + return -2; + dctx->strength = 192; + dctx->seedlen = 48; + dctx->blocklength = 46; + ectx->exbits = 0; + Q_x = p_384_qx; + Q_y = p_384_qy; + ptlen = sizeof(p_384_qx); + break; + + case NID_secp521r1: + if (md_nid == NID_sha1 || md_nid == NID_sha224) + return -2; + dctx->strength = 256; + dctx->seedlen = 66; + dctx->blocklength = 63; + ectx->exbits = 7; + Q_x = p_521_qx; + Q_y = p_521_qy; + ptlen = sizeof(p_521_qx); + break; + + default: + return -2; + } + + dctx->flags |= DRBG_CUSTOM_RESEED; + dctx->reseed_counter = 0; + dctx->instantiate = drbg_ec_instantiate; + dctx->reseed = drbg_ec_reseed; + dctx->generate = drbg_ec_generate; + dctx->uninstantiate = drbg_ec_uninstantiate; + + ectx->md = md; + EVP_MD_CTX_init(&ectx->mctx); + + dctx->min_entropy = dctx->strength / 8; + dctx->max_entropy = 2 << 10; + + dctx->min_nonce = dctx->min_entropy / 2; + dctx->max_nonce = 2 << 10; + + dctx->max_pers = 2 << 10; + dctx->max_adin = 2 << 10; + + dctx->reseed_interval = 1<<24; + dctx->max_request = dctx->reseed_interval * dctx->blocklength; + + /* Setup internal structures */ + ectx->bctx = BN_CTX_new(); + if (!ectx->bctx) + return 0; + BN_CTX_start(ectx->bctx); + + ectx->s = BN_new(); + + ectx->curve = EC_GROUP_new_by_curve_name(curve_nid); + + ectx->Q = EC_POINT_new(ectx->curve); + ectx->ptmp = EC_POINT_new(ectx->curve); + + ectx->sp_defer = 0; + + x = BN_CTX_get(ectx->bctx); + y = BN_CTX_get(ectx->bctx); + + if (!ectx->s || !ectx->curve || !ectx->Q || !y) + goto err; + + if (!BN_bin2bn(Q_x, ptlen, x) || !BN_bin2bn(Q_y, ptlen, y)) + goto err; + if (!EC_POINT_set_affine_coordinates_GFp(ectx->curve, ectx->Q, + x, y, ectx->bctx)) + goto err; + + BN_CTX_end(ectx->bctx); + + return 1; + err: + BN_CTX_end(ectx->bctx); + drbg_ec_uninstantiate(dctx); + return 0; + } diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c index a0bb9eda64..114f78e6ab 100644 --- a/fips/rand/fips_drbg_lib.c +++ b/fips/rand/fips_drbg_lib.c @@ -79,6 +79,8 @@ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags) rv = fips_drbg_ctr_init(dctx); if (rv == -2) rv = fips_drbg_hmac_init(dctx); + if (rv == -2) + rv = fips_drbg_ec_init(dctx); if (rv <= 0) { @@ -243,7 +245,8 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx, dctx->status = DRBG_STATUS_READY; - dctx->reseed_counter = 1; + if (!(dctx->flags & DRBG_CUSTOM_RESEED)) + dctx->reseed_counter = 1; end: @@ -307,7 +310,8 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx, goto end; dctx->status = DRBG_STATUS_READY; - dctx->reseed_counter = 1; + if (!(dctx->flags & DRBG_CUSTOM_RESEED)) + dctx->reseed_counter = 1; end: if (entropy && dctx->cleanup_entropy) @@ -373,7 +377,9 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, goto end; } - if (dctx->reseed_counter >= dctx->reseed_interval) + if (dctx->flags & DRBG_CUSTOM_RESEED) + dctx->generate(dctx, NULL, outlen, NULL, 0); + else if (dctx->reseed_counter >= dctx->reseed_interval) dctx->status = DRBG_STATUS_RESEED; if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) @@ -393,10 +399,13 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, dctx->status = DRBG_STATUS_ERROR; goto end; } - if (dctx->reseed_counter >= dctx->reseed_interval) - dctx->status = DRBG_STATUS_RESEED; - else - dctx->reseed_counter++; + if (!(dctx->flags & DRBG_CUSTOM_RESEED)) + { + if (dctx->reseed_counter >= dctx->reseed_interval) + dctx->status = DRBG_STATUS_RESEED; + else + dctx->reseed_counter++; + } end: if (r) diff --git a/fips/rand/fips_drbg_selftest.c b/fips/rand/fips_drbg_selftest.c index a06c4fcfd8..40a3ca8162 100644 --- a/fips/rand/fips_drbg_selftest.c +++ b/fips/rand/fips_drbg_selftest.c @@ -133,6 +133,9 @@ typedef struct { #define make_drbg_test_data_df(nid, pr, p) \ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p) +#define make_drbg_test_data_ec(curve, md, pr, p) \ + make_drbg_test_data((curve << 16) | md , 0, pr, p) + static DRBG_SELFTEST_DATA drbg_test[] = { make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0), make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0), @@ -150,6 +153,18 @@ static DRBG_SELFTEST_DATA drbg_test[] = { make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1), make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0), make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0), + make_drbg_test_data_ec(NID_X9_62_prime256v1, NID_sha1, p_256_sha1, 0), + make_drbg_test_data_ec(NID_X9_62_prime256v1, NID_sha224, p_256_sha224, 0), + make_drbg_test_data_ec(NID_X9_62_prime256v1, NID_sha256, p_256_sha256, 1), + make_drbg_test_data_ec(NID_X9_62_prime256v1, NID_sha384, p_256_sha384, 0), + make_drbg_test_data_ec(NID_X9_62_prime256v1, NID_sha512, p_256_sha512, 0), + make_drbg_test_data_ec(NID_secp384r1, NID_sha224, p_384_sha224, 0), + make_drbg_test_data_ec(NID_secp384r1, NID_sha256, p_384_sha256, 0), + make_drbg_test_data_ec(NID_secp384r1, NID_sha384, p_384_sha384, 0), + make_drbg_test_data_ec(NID_secp384r1, NID_sha512, p_384_sha512, 0), + make_drbg_test_data_ec(NID_secp521r1, NID_sha256, p_521_sha256, 0), + make_drbg_test_data_ec(NID_secp521r1, NID_sha384, p_521_sha384, 0), + make_drbg_test_data_ec(NID_secp521r1, NID_sha512, p_521_sha512, 0), {0,0,0} }; diff --git a/fips/rand/fips_drbg_selftest.h b/fips/rand/fips_drbg_selftest.h index cecb3c6a5b..572f047ece 100644 --- a/fips/rand/fips_drbg_selftest.h +++ b/fips/rand/fips_drbg_selftest.h @@ -2044,3 +2044,1465 @@ static const unsigned char hmac_sha512_returnedbits[] = 0xc2,0xd6,0xfd,0xa5 }; + +/* P-256 SHA-1 PR */ +static const unsigned char p_256_sha1_pr_entropyinput[] = + { + 0xb7,0xd4,0x38,0x90,0x9a,0xa8,0xfc,0xb6,0xd6,0x3c,0xc5,0x35, + 0x2b,0x0b,0x0e,0x1f + }; + +static const unsigned char p_256_sha1_pr_nonce[] = + { + 0xd9,0xae,0xf5,0xe8,0xd5,0x10,0x1f,0x82 + }; + +static const unsigned char p_256_sha1_pr_personalizationstring[] = + { + 0x88,0xe8,0x77,0xab,0x01,0x19,0x5e,0xaf,0x50,0x6c,0x89,0x2d, + 0x0c,0x12,0xe2,0x11 + }; + +static const unsigned char p_256_sha1_pr_additionalinput[] = + { + 0xd1,0x46,0xa6,0xb0,0x6e,0xc5,0xaa,0x7b,0x6d,0x1a,0xf9,0x36, + 0x8c,0x95,0x9c,0xed + }; + +static const unsigned char p_256_sha1_pr_entropyinputpr[] = + { + 0xb0,0x97,0xa8,0x3e,0xd3,0x28,0x3d,0x36,0xdd,0xfe,0x89,0x00, + 0x63,0x4f,0x21,0xfc + }; + +static const unsigned char p_256_sha1_pr_int_returnedbits[] = + { + 0x9f,0x66,0x6a,0x38,0x57,0x49,0x15,0xcd,0x5a,0x85,0x03,0x97, + 0x67,0xc3,0x62,0x46,0xb7,0x3a,0xd2,0x08,0x86,0x40,0x4e,0x6d, + 0x67,0xf4,0x19,0x68,0x92,0x63 + }; + +static const unsigned char p_256_sha1_pr_additionalinput2[] = + { + 0x0c,0xb6,0x1c,0xc7,0x52,0x47,0xe4,0xf1,0xa7,0x75,0x60,0x3d, + 0x60,0x07,0x72,0x6f + }; + +static const unsigned char p_256_sha1_pr_entropyinputpr2[] = + { + 0x39,0x37,0xb6,0x55,0x82,0x71,0x0e,0xd4,0x8f,0x8c,0x10,0xe5, + 0x7c,0x8f,0x5e,0x37 + }; + +static const unsigned char p_256_sha1_pr_returnedbits[] = + { + 0x37,0x6c,0x94,0x02,0xbe,0x28,0x42,0xd5,0xe7,0x4d,0x1a,0x6e, + 0xa8,0x5a,0x90,0x9a,0x31,0xa8,0x84,0x16,0xbc,0xe9,0x18,0xa4, + 0xe1,0xa1,0x05,0xf0,0x2a,0xe3 + }; + + +/* P-256 SHA-1 No PR */ +static const unsigned char p_256_sha1_entropyinput[] = + { + 0xac,0x08,0x45,0x86,0x79,0xfc,0x4b,0xb4,0x8b,0xe4,0xfd,0x1d, + 0x0e,0xeb,0x1b,0x8f + }; + +static const unsigned char p_256_sha1_nonce[] = + { + 0x5e,0xf4,0xe9,0xc5,0x04,0xee,0xb7,0x8a + }; + +static const unsigned char p_256_sha1_personalizationstring[] = + { + 0x55,0x0f,0xca,0x3b,0x1c,0xa6,0xf3,0xce,0xcb,0x6f,0xa7,0xc7, + 0x26,0x65,0x0f,0x7c + }; + +static const unsigned char p_256_sha1_additionalinput[] = + { + 0x74,0x51,0x73,0xa9,0xee,0x2e,0x21,0xf9,0xba,0x07,0xe4,0xad, + 0x97,0xae,0x1c,0x8b + }; + +static const unsigned char p_256_sha1_int_returnedbits[] = + { + 0x8d,0x45,0x11,0xa9,0x74,0x14,0x05,0x94,0x97,0x66,0x71,0xe2, + 0x9b,0x61,0x22,0x85,0xa5,0xaa,0x09,0x01,0x75,0xb5,0xab,0x3a, + 0x3a,0x6e,0x69,0xd3,0xc8,0xc4 + }; + +static const unsigned char p_256_sha1_entropyinputreseed[] = + { + 0x34,0xd9,0x8b,0x67,0x82,0xaf,0x97,0x95,0xe9,0x25,0xa7,0x93, + 0x37,0x06,0x73,0x5c + }; + +static const unsigned char p_256_sha1_additionalinputreseed[] = + { + 0x39,0x21,0x24,0x27,0x67,0xa1,0xc3,0xc4,0x90,0xc2,0x68,0x68, + 0x26,0x9b,0x32,0xc2 + }; + +static const unsigned char p_256_sha1_additionalinput2[] = + { + 0x84,0xa8,0x10,0xe5,0x71,0x0c,0x1e,0x74,0x42,0x6a,0xa5,0x09, + 0x90,0x74,0x39,0xd7 + }; + +static const unsigned char p_256_sha1_returnedbits[] = + { + 0x1e,0x0b,0x5c,0x41,0xcd,0xab,0x07,0xbd,0xdc,0x53,0xa7,0x62, + 0xd1,0xd0,0xca,0x19,0xe6,0xbb,0x8e,0xcf,0x1e,0x0a,0x4c,0xc0, + 0x2d,0x8c,0xe2,0xa4,0x89,0x2c + }; + + +/* P-256 SHA-224 PR */ +static const unsigned char p_256_sha224_pr_entropyinput[] = + { + 0x92,0x05,0xf0,0x1e,0xc4,0xc4,0x9e,0xab,0x85,0x10,0x16,0xda, + 0xa6,0xb4,0xba,0x6f + }; + +static const unsigned char p_256_sha224_pr_nonce[] = + { + 0xa3,0x5e,0xde,0x12,0xdc,0xa7,0x67,0xfd + }; + +static const unsigned char p_256_sha224_pr_personalizationstring[] = + { + 0x76,0xa0,0x8d,0x6c,0x0d,0x19,0x5d,0x94,0x9b,0x92,0x67,0x78, + 0x6c,0x02,0xfe,0xe4 + }; + +static const unsigned char p_256_sha224_pr_additionalinput[] = + { + 0xe2,0x05,0xcf,0x63,0x0f,0xf1,0xd0,0x41,0xc9,0xe3,0xf6,0xb0, + 0x57,0xaa,0xcd,0x92 + }; + +static const unsigned char p_256_sha224_pr_entropyinputpr[] = + { + 0x1a,0xd5,0xa9,0x25,0x52,0xa8,0xba,0x51,0x81,0x99,0x62,0x4d, + 0xbf,0x30,0x44,0xf3 + }; + +static const unsigned char p_256_sha224_pr_int_returnedbits[] = + { + 0xbf,0x9e,0x45,0x73,0x67,0x4b,0x25,0xa5,0x58,0x23,0x31,0xd8, + 0x0f,0xf3,0xe5,0x5d,0x0e,0x2d,0x9b,0x4a,0x5f,0x93,0x9c,0xad, + 0x6a,0xc5,0x70,0x4e,0x5e,0x58 + }; + +static const unsigned char p_256_sha224_pr_additionalinput2[] = + { + 0x4a,0x85,0x19,0xb2,0x61,0x5d,0xd5,0xc0,0x1f,0x47,0x72,0x8b, + 0x62,0x35,0x19,0xc1 + }; + +static const unsigned char p_256_sha224_pr_entropyinputpr2[] = + { + 0xda,0xa7,0x84,0x3f,0xfa,0xf9,0xd1,0x51,0x17,0xf8,0xe3,0x77, + 0xf5,0x20,0x37,0x17 + }; + +static const unsigned char p_256_sha224_pr_returnedbits[] = + { + 0x15,0xa4,0xa1,0x53,0x4f,0x63,0x06,0xfe,0x28,0xfd,0x58,0xa9, + 0xac,0x9c,0x83,0xb7,0x3a,0x86,0x82,0x92,0x96,0x89,0xea,0x3d, + 0xbd,0x83,0x3a,0x06,0x2a,0x7d + }; + + +/* P-256 SHA-224 No PR */ +static const unsigned char p_256_sha224_entropyinput[] = + { + 0xec,0x5b,0x46,0x4a,0xe1,0xe1,0xcb,0x31,0x86,0xa7,0x11,0x3a, + 0xff,0x87,0x4a,0x66 + }; + +static const unsigned char p_256_sha224_nonce[] = + { + 0xd1,0x6c,0x33,0x3c,0x37,0xc9,0xc6,0xac + }; + +static const unsigned char p_256_sha224_personalizationstring[] = + { + 0x8b,0xfe,0x68,0x96,0x2d,0xc5,0x91,0xb3,0xf2,0xaa,0x15,0xad, + 0x1a,0x50,0x0c,0x0a + }; + +static const unsigned char p_256_sha224_additionalinput[] = + { + 0xd4,0x48,0xfd,0x16,0x41,0xea,0xef,0x06,0x7f,0x4a,0xa2,0x60, + 0x60,0x31,0x20,0x5d + }; + +static const unsigned char p_256_sha224_int_returnedbits[] = + { + 0x68,0x64,0x67,0x0c,0x73,0x08,0x00,0x60,0x5a,0xa6,0x9a,0x27, + 0x01,0x81,0xae,0x2e,0x1d,0xa6,0x0a,0x86,0x77,0xef,0x05,0x3f, + 0x42,0xbe,0x46,0x73,0x40,0x1c + }; + +static const unsigned char p_256_sha224_entropyinputreseed[] = + { + 0x9c,0xde,0x86,0x11,0x55,0x9a,0xb4,0x2b,0x70,0xf0,0xc6,0x9d, + 0x8d,0x3a,0xc3,0x1e + }; + +static const unsigned char p_256_sha224_additionalinputreseed[] = + { + 0x5d,0x5b,0xeb,0x38,0xc5,0x8b,0x2b,0xc8,0x73,0xe3,0x0e,0xca, + 0x35,0xb0,0x4d,0x11 + }; + +static const unsigned char p_256_sha224_additionalinput2[] = + { + 0xf7,0xa3,0x79,0x4b,0xb0,0x2c,0x1e,0xc6,0x61,0x69,0x14,0x6a, + 0xed,0xf1,0xa2,0xd8 + }; + +static const unsigned char p_256_sha224_returnedbits[] = + { + 0x89,0x75,0x1b,0x89,0x20,0xcc,0xe2,0xaf,0xae,0x5e,0xc1,0xa9, + 0xde,0xc0,0x35,0x0b,0xf6,0x4e,0x04,0xfc,0xa7,0xe6,0x35,0xf9, + 0x16,0x8a,0xc6,0x0c,0x63,0x6b + }; + + +/* P-256 SHA-256 PR */ +static const unsigned char p_256_sha256_pr_entropyinput[] = + { + 0x22,0xe4,0x4c,0x01,0x94,0x59,0xce,0x08,0xb3,0x92,0x48,0xe2, + 0x0d,0x1a,0x32,0x4d + }; + +static const unsigned char p_256_sha256_pr_nonce[] = + { + 0x8d,0xf9,0x20,0x8a,0x65,0xf4,0x93,0x37 + }; + +static const unsigned char p_256_sha256_pr_personalizationstring[] = + { + 0x06,0x7e,0xe8,0x4f,0xdd,0xae,0x8d,0xf1,0xc9,0x13,0x9a,0x81, + 0xd3,0x68,0x76,0xc1 + }; + +static const unsigned char p_256_sha256_pr_additionalinput[] = + { + 0xfa,0x8e,0xea,0xf3,0xcf,0xda,0x7c,0x11,0x88,0xaa,0xb9,0x02, + 0x84,0xc4,0x30,0x54 + }; + +static const unsigned char p_256_sha256_pr_entropyinputpr[] = + { + 0xbb,0x21,0x72,0x4f,0x83,0x03,0x14,0x18,0x8e,0x88,0xec,0x73, + 0xde,0xed,0x60,0xf7 + }; + +static const unsigned char p_256_sha256_pr_int_returnedbits[] = + { + 0xdc,0x40,0x73,0x5e,0x1d,0x21,0x35,0x8c,0xcf,0xa4,0x50,0x05, + 0x5e,0x73,0xbd,0xde,0x5e,0x58,0xcc,0xc0,0x6f,0xd9,0xca,0x8d, + 0x48,0x9d,0x84,0x77,0xc2,0x8e + }; + +static const unsigned char p_256_sha256_pr_additionalinput2[] = + { + 0x0e,0xa7,0x4d,0x4f,0x19,0x94,0x34,0x05,0x46,0x3e,0x0c,0x05, + 0x27,0x85,0xd9,0xdf + }; + +static const unsigned char p_256_sha256_pr_entropyinputpr2[] = + { + 0x4f,0xae,0x44,0x10,0x2b,0xa1,0xbc,0xd7,0xcb,0xa7,0x49,0x55, + 0x27,0x54,0x36,0x2b + }; + +static const unsigned char p_256_sha256_pr_returnedbits[] = + { + 0x1c,0x16,0xf7,0x2b,0xd0,0xb7,0x54,0x5a,0xa5,0x85,0x14,0x63, + 0xd4,0x96,0x81,0x5a,0x6b,0xa4,0xde,0x57,0xbf,0xf3,0x81,0xc7, + 0xf5,0xbc,0xeb,0x4e,0x49,0xdf + }; + + +/* P-256 SHA-256 No PR */ +static const unsigned char p_256_sha256_entropyinput[] = + { + 0xa7,0x0b,0x6b,0xf7,0xfb,0x40,0x1a,0xca,0xa9,0x1f,0x16,0xc9, + 0x6a,0xd0,0x4a,0x8c + }; + +static const unsigned char p_256_sha256_nonce[] = + { + 0x97,0x8e,0xb1,0x72,0xe8,0x30,0xfc,0x43 + }; + +static const unsigned char p_256_sha256_personalizationstring[] = + { + 0x6c,0x90,0x00,0x41,0x84,0x7c,0x58,0x56,0x48,0xf0,0x60,0x04, + 0xe9,0xc0,0xa0,0xd8 + }; + +static const unsigned char p_256_sha256_additionalinput[] = < |