Add DRBG self tests by slontis · Pull Request #11010 · openssl/openssl

slontis · 2020-02-04T01:59:41Z

Checklist

documentation is added or updated
tests are added or updated

slontis · 2020-02-08T23:53:56Z

Modified to use the new DRBG_RAND_(set/get)_callback_data() call.

providers/fips/self_test_kats.c

slontis · 2020-02-09T22:25:08Z

travis error is a timeout..

slontis · 2020-02-09T22:25:14Z

ping

mspncp · 2020-02-10T09:16:34Z

@slontis I am having problems setting up the DRBG selftests in a way that I can run them in a debugger. Maybe you can help me? Here's what I tried:

I commented out the die "FIPS mode not supported\n"; line in the Configure script, because it would not let me ./config --debug fips otherwise.

Then I added a fprintf(stderr, "SELF_TEST_DRBG\n"); to self_test_drbg() (see fipshack.diff below) and ran the test (see fipstest.log):

make tests V=1 TESTS=test_fipsinstall

I see that the selftest gets invoked in command 3

SELF_TEST_DRBG
SELF_TEST_DRBG
SELF_TEST_DRBG
# HMAC : (Module_Integrity) : Pass
# SHA1 : (KAT_Digest) : Pass
# SHA2 : (KAT_Digest) : Pass
# SHA3 : (KAT_Digest) : Pass
# TDES : (KAT_Cipher) : Pass
# AES_GCM : (KAT_Cipher) : Pass
# HKDF : (KAT_KDF) : Pass
# HASH : (DRBG) : Pass
# CTR : (DRBG) : Pass
# HMAC : (DRBG) : Pass
# INSTALL PASSED
../../util/shlib_wrap.sh ../../apps/openssl fipsinstall -out fips.conf -module ../../providers/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA256' -macopt 'hexkey:00' -section_name fips_install => 0
ok 3 - fipsinstall

However, when I subsequently try to run command 3 in the debugger like this

cd test/test-runs/
OPENSSL_MODULES=../../providers ../../util/shlib_wrap.sh gdb --args ../../apps/openssl fipsinstall -out fips.conf -module ../../providers/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA256' -macopt 'hexkey:00' -section_name fips_install

the self tests does not get executed. What am I missing?

Also, I have two more related questions:

I noticed that the shlib_wrap.sh command lines can't be copy&pasted anymore and run by themselves, because the OPENSSL_MODULES and OPENSSL_ENGINES variables are not set by the shlib_wrap.sh script. (They are set by the tests make target) This is a pity, because it used to be an ideal method to plug in the debugger (see above). In contrast to shlib_wrap.sh, the opensslwrap.sh script does set those two environment variables if they are unset. Do you see any reason not to do it in shlib_wrap.sh as well?
Is this self-test only intended to be executed during fipsinstall, or will it become a general POST?

fipshack.diff

diff --git a/Configure b/Configure
index 2dd0520d3d..be78d70169 100755
--- a/Configure
+++ b/Configure
@@ -833,7 +833,7 @@ while (@argvcopy)
                 { $config{processor}=386; }
         elsif (/^fips$/)
                 {
-                die "FIPS mode not supported\n";
+#                die "FIPS mode not supported\n";
                 }
         elsif (/^rsaref$/)
                 {
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index 81c237954e..69a798a0d6 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -235,6 +235,9 @@ static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_ST_EVENT *event,
         OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
     };
 
+    fprintf(stderr, "SELF_TEST_DRBG\n");
+
+
     SELF_TEST_EVENT_onbegin(event, OSSL_SELF_TEST_TYPE_DRBG, t->desc);
 
     if (strcmp(t->desc, OSSL_SELF_TEST_DESC_DRBG_HMAC) == 0)
diff --git a/util/opensslwrap.sh b/util/opensslwrap.sh
index 7a38830270..3be8802f51 100755
--- a/util/opensslwrap.sh
+++ b/util/opensslwrap.sh
@@ -10,6 +10,10 @@ if [ -d "${HERE}../providers" -a "x$OPENSSL_MODULES" = "x" ]; then
 	OPENSSL_MODULES="${HERE}../providers"; export OPENSSL_MODULES
 fi
 
+echo OPENSSL_MODULES=$OPENSSL_MODULES
+echo OPENSSL_ENGINES=$OPENSSL_ENGINES
+
+
 if [ -x "${OPENSSL}.exe" ]; then
 	# The original reason for this script existence is to work around
 	# certain caveats in run-time linker behaviour. On Windows platforms

fipstest.log

make depend && make _tests
make[1]: Entering directory '/home/msp/src/openssl'
make[1]: Leaving directory '/home/msp/src/openssl'
make[1]: Entering directory '/home/msp/src/openssl'
( cd test; \
  mkdir -p test-runs; \
  SRCTOP=../. \
  BLDTOP=../. \
  RESULT_D=test-runs \
  PERL="/usr/bin/perl" \
  EXE_EXT= \
  OPENSSL_ENGINES=`cd .././engines 2>/dev/null && pwd` \
  OPENSSL_MODULES=`cd .././providers 2>/dev/null && pwd` \
  /usr/bin/perl .././test/run_tests.pl test_fipsinstall )
03-test_fipsinstall.t .. 
1..10
fipsinstall: Use -help for summary.
INSTALL FAILED
../../util/shlib_wrap.sh ../../apps/openssl fipsinstall -out fips.conf -module -provider_name fips -macopt 'digest:SHA256' -macopt 'hexkey:00' -section_name fips_install => 1
ok 1 - fipsinstall fail
Can't open dummy.tmp for reading, No such file or directory
00:81:45:01:AB:7F:00:00:error:system library:BIO_new_file:No such file or directory:crypto/bio/bss_file.c:69:calling fopen(dummy.tmp, r)
00:81:45:01:AB:7F:00:00:error:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:77:
VERIFY FAILED
../../util/shlib_wrap.sh ../../apps/openssl fipsinstall -in dummy.tmp -module ../../providers/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA256' -macopt 'hexkey:00' -section_name fips_install -verify => 1
ok 2 - fipsinstall verify fail
SELF_TEST_DRBG
SELF_TEST_DRBG
SELF_TEST_DRBG
# HMAC : (Module_Integrity) : Pass
# SHA1 : (KAT_Digest) : Pass
# SHA2 : (KAT_Digest) : Pass
# SHA3 : (KAT_Digest) : Pass
# TDES : (KAT_Cipher) : Pass
# AES_GCM : (KAT_Cipher) : Pass
# HKDF : (KAT_KDF) : Pass
# HASH : (DRBG) : Pass
# CTR : (DRBG) : Pass
# HMAC : (DRBG) : Pass
# INSTALL PASSED
../../util/shlib_wrap.sh ../../apps/openssl fipsinstall -out fips.conf -module ../../providers/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA256' -macopt 'hexkey:00' -section_name fips_install => 0
ok 3 - fipsinstall
# VERIFY PASSED
../../util/shlib_wrap.sh ../../apps/openssl fipsinstall -in fips.conf -module ../../providers/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA256' -macopt 'hexkey:00' -section_name fips_install -verify => 0
ok 4 - fipsinstall verify
Module integrity mismatch
VERIFY FAILED
../../util/shlib_wrap.sh ../../apps/openssl fipsinstall -in fips.conf -module ../../providers/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA256' -macopt 'hexkey:01' -section_name fips_install -verify => 1
ok 5 - fipsinstall verify fail bad key
Module integrity mismatch
VERIFY FAILED
../../util/shlib_wrap.sh ../../apps/openssl fipsinstall -in fips.conf -module ../../providers/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA512' -macopt 'hexkey:00' -section_name fips_install -verify => 1
ok 6 - fipsinstall verify fail incorrect digest
INSTALL FAILED
00:91:28:89:2D:7F:00:00:error:common libcrypto routines:provider_activate:init fail:crypto/provider_core.c:456:
00:91:28:89:2D:7F:00:00:error:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:181:module=providers, value=provider_section, retcode=-1      
# HMAC : (Module_Integrity) : Corrupt Fail
../../util/shlib_wrap.sh ../../apps/openssl fipsinstall -out fips.conf -module ../../providers/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA256' -macopt 'hexkey:00' -section_name fips_install -corrupt_desc HMAC => 1
ok 7 - fipsinstall fails when the module integrity is corrupted
SELF_TEST_DRBG
SELF_TEST_DRBG
SELF_TEST_DRBG
INSTALL FAILED
00:21:EA:93:3B:7F:00:00:error:common libcrypto routines:provider_activate:init fail:crypto/provider_core.c:456:
00:21:EA:93:3B:7F:00:00:error:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:181:module=providers, value=provider_section, retcode=-1      
# HMAC : (Module_Integrity) : Pass
# SHA1 : (KAT_Digest) : Corrupt Fail
# SHA2 : (KAT_Digest) : Pass
# SHA3 : (KAT_Digest) : Pass
# TDES : (KAT_Cipher) : Pass
# AES_GCM : (KAT_Cipher) : Pass
# HKDF : (KAT_KDF) : Pass
# HASH : (DRBG) : Pass
# CTR : (DRBG) : Pass
# HMAC : (DRBG) : Pass
../../util/shlib_wrap.sh ../../apps/openssl fipsinstall -out fips.conf -module ../../providers/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA256' -macopt 'hexkey:00' -section_name fips_install -corrupt_desc SHA1 => 1
ok 8 - fipsinstall fails when the digest result is corrupted
SELF_TEST_DRBG
SELF_TEST_DRBG
SELF_TEST_DRBG
INSTALL FAILED
00:F1:0C:B0:7A:7F:00:00:error:common libcrypto routines:provider_activate:init fail:crypto/provider_core.c:456:
00:F1:0C:B0:7A:7F:00:00:error:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:181:module=providers, value=provider_section, retcode=-1      
# HMAC : (Module_Integrity) : Pass
# SHA1 : (KAT_Digest) : Pass
# SHA2 : (KAT_Digest) : Pass
# SHA3 : (KAT_Digest) : Corrupt Fail
# TDES : (KAT_Cipher) : Pass
# AES_GCM : (KAT_Cipher) : Pass
# HKDF : (KAT_KDF) : Pass
# HASH : (DRBG) : Pass
# CTR : (DRBG) : Pass
# HMAC : (DRBG) : Pass
../../util/shlib_wrap.sh ../../apps/openssl fipsinstall -out fips.conf -module ../../providers/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA256' -macopt 'hexkey:00' -section_name fips_install -corrupt_desc SHA3 => 1
ok 9 - fipsinstall fails when the digest result is corrupted
SELF_TEST_DRBG
SELF_TEST_DRBG
SELF_TEST_DRBG
INSTALL FAILED
00:91:73:5C:4D:7F:00:00:error:common libcrypto routines:provider_activate:init fail:crypto/provider_core.c:456:
00:91:73:5C:4D:7F:00:00:error:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:181:module=providers, value=provider_section, retcode=-1      
# HMAC : (Module_Integrity) : Pass
# SHA1 : (KAT_Digest) : Pass
# SHA2 : (KAT_Digest) : Pass
# SHA3 : (KAT_Digest) : Pass
# TDES : (KAT_Cipher) : Pass
# AES_GCM : (KAT_Cipher) : Pass
# HKDF : (KAT_KDF) : Pass
# HASH : (DRBG) : Pass
# CTR : (DRBG) : Corrupt Fail
# HMAC : (DRBG) : Pass
../../util/shlib_wrap.sh ../../apps/openssl fipsinstall -out fips.conf -module ../../providers/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA256' -macopt 'hexkey:00' -section_name fips_install -corrupt_desc CTR => 1
ok 10 - fipsinstall fails when the DRBG CTR result is corrupted
ok
All tests successful.
Files=1, Tests=10,  1 wallclock secs ( 0.01 usr  0.02 sys +  0.15 cusr  0.45 csys =  0.63 CPU)
Result: PASS
make[1]: Leaving directory '/home/msp/src/openssl'

slontis · 2020-02-10T10:12:23Z

I just run it like this when I am testing..

cd openssl
export OPENSSL_MODULES=providers
export LD_LIBRARY_PATH=.
./apps/openssl fipsinstall -out fips.conf -module ./providers/fips.so -provider_name fips -mac_name HMAC -macopt 'digest:SHA256' -macopt 'hexkey:00' -section_name fips_install

gdb --tui --args ....

:> break SELF_TEST_kats

slontis · 2020-02-10T10:14:54Z

The self test always runs during the init()..

I am working on being able to call it via the providers get_params().. But this only runs after the init() has been called - so that all the setup is stored and can be reused for running the kats..

mattcaswell · 2020-02-10T11:44:07Z

I commented out the die "FIPS mode not supported\n"; line in the Configure script, because it would not let me ./config --debug fips otherwise.

You don't need to specify "fips" on the config line at all. That's a legacy option from the 2.0 module.

mspncp · 2020-02-10T12:30:12Z

I commented out the die "FIPS mode not supported\n"; line in the Configure script, because it would not let me ./config --debug fips otherwise.

You don't need to specify "fips" on the config line at all. That's a legacy option from the 2.0 module.

Ok, that's what I remembered from the last time I asked you this question. But the fact that the test refused to run without the fips option confused me:

openssl/test/recipes/03-test_fipsinstall.t

Line 25 in b0593c0

plan skip_all => "Test only supported in a fips build" if disabled("fips");

Also, the Error message is very confusing: You are telling the users that you are not supporting FIPS mode. IMHO the error should only be a warning and reformulated, e.g., as follows:

Warning: the FIPS mode option is not required anymore and was ignored

mattcaswell · 2020-02-10T12:32:59Z

But the fact that the test refused to run without the fips option confused me:

Right...that just looks wrong.

Also, the Error message is very confusing: You are telling the users that you are not supporting FIPS mode. IMHO the error should only be a warning and reformulated, e.g., as follows:

Oh...that needs updating. Its inherited from 1.1.1 where that is true. Its not been changed for 3.0.

slontis · 2020-02-17T02:19:59Z

ping

mspncp · 2020-02-17T09:14:02Z

Could you please provide a reference (link) to the location where you got the test vectors from?

mspncp · 2020-02-17T11:23:09Z

@slontis @paulidale I haven't forgotten about the TODO you gave me, but I'm still pondering about the best way to do it.

https://github.com/openssl/openssl/blob/59bfdfc60d206d44cd28a7b1a1c3211f488c7e28/providers/fips/self_test_kats.c#L289-L293

My first reflex was to hook the uninstantiate callback of the RAND_DRBG_METHOD

https://github.com/openssl/openssl/blob/59bfdfc60d206d44cd28a7b1a1c3211f488c7e28/crypto/rand/rand_local.h#L146-L151

but it feels a bit hacky and I would like to avoid hooking. So I looked for alternative ways to do it. The problem starts in RAND_DRBG_uninstantiate(), because after calling the uninstantiate() callback some important properties need to be restored, in particular by calling RAND_DRBG_set() at the end, just before returning from RAND_DRBG_uninstantiate():

https://github.com/openssl/openssl/blob/59bfdfc60d206d44cd28a7b1a1c3211f488c7e28/crypto/rand/drbg_lib.c#L662-L679

This was added by me at some time and was necessary to make DRBG error recovery work. Because otherwise the DRBG would completely forget its type and reinstantiation would be impossible. However, no secret state information is restored, so I wondered whether it would be allowed to just separate the public 'administrative' information from the secret 'working state' and prove only that the latter is zeroed properly. Indeed, NIST.SP800.90Ar1 sees the secret DRBG state as part of the Working State, which is a subset of the Internal State.

Working State
    A subset of the internal state that is used by a DRBG
    mechanism to produce pseudorandom bits at a given point in
    time. The working state (and thus, the internal state) is
    updated to the next state prior to producing another string of
    pseudorandom bits.
	
    (page 8)

NIST.IR.8019 makes it a little bit more precise:

During the instantiation of a DRBG the initial state is derived from the seed. The internal state contains
administrative information and the working state. Some values of the working state are considered secret
values of the internal state. These values are listed below:
1. Hash_DRBG mechanism
   The values of V and C are the “secret” values of the internal state.
2. HMAC_DRBG mechanism
   The values of V and Key are the “secret values” of the internal state.
3. CTR_DRBG mechanism
   The values of V and Key are the “secret values” of the internal state.

Unfortunately, it seems that nevertheless FIPS insists that the entire Internal State is erased, including the administrative information, right?

7.4 The DRBG Mechanism Functions
...
    4. The uninstantiate function zeroizes (i.e., erases) the internal state.

Or has the interpretation of the FIPS standard been relaxed in the mean time?

(Side Note: If the entire internal state of the DRBG must be zeroed then it is actually questionable why the border around the internal state can be drawn at the RAND_DRBG_{HASH,HMAC,CTR} struct and why the rest of the RAND_DRBG structure does not belong to it. Also what sense does it make to verify the zeroing after the uninstantiate() callback, if immediately afterwards part of the internal information is restored in RAND_DRBG_uninstantiate()?)

https://github.com/openssl/openssl/blob/59bfdfc60d206d44cd28a7b1a1c3211f488c7e28/crypto/rand/rand_local.h#L317-L321

Maybe there is a better alternative to ensure that at least data remains clean after the RAND_DRBG_uninstantiate() call: We could postpone the calls to drbg_{ctr,hmac,hash}_init() and catch up on it in the RAND_DRBG_instantiate() call, but we would have to store the necessary information (in particular the type) elsewhere in the DRBG.

https://github.com/openssl/openssl/blob/59bfdfc60d206d44cd28a7b1a1c3211f488c7e28/crypto/rand/drbg_lib.c#L362-L372

What's your opinion, which path should I take?

Split the RAND_DRBG_{HASH,HMAC,CTR} structs into into a secret and a public part .
Hook the uninstantiate callback.
Postpone the drbg_{ctr,hmac,hash}_init() call until RAND_DRBG_instantiate().

paulidale · 2020-02-17T11:29:13Z

I think a good argument could be made for only zeroizing the secret state. We'd need to run this past the lab for confirmation.

Nonetheless, postponing the init call until later would be the best (i.e. safest) path forward I think.

This all might need revisiting in light of fetchable rand which will impact the RNG architecture :(

mspncp · 2020-02-17T20:44:53Z

See #11111.

mspncp · 2020-02-17T22:32:12Z

Some of the self tests here use goto err; instead of goto end;, which I find more expressive. Whatever you choose, it should be consistent.

From 012dc8380b90e061cc6cf9f5b6e69b3a3691b29c Mon Sep 17 00:00:00 2001
From: "Dr. Matthias St. Pierre" <[email protected]>
Date: Mon, 17 Feb 2020 23:28:53 +0100
Subject: [PATCH] fixup! Add DRBG self tests

---
 providers/fips/self_test_kats.c | 53 +++++++++++++++++----------------
 1 file changed, 27 insertions(+), 26 deletions(-)

diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index 81c237954e..54e6fcfeb2 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -99,43 +99,43 @@ static int self_test_cipher(const ST_KAT_CIPHER *t, OSSL_ST_EVENT *event,
 
     ctx = EVP_CIPHER_CTX_new();
     if (ctx == NULL)
-        goto end;
+        goto err;
     cipher = EVP_CIPHER_fetch(libctx, t->base.algorithm, "");
     if (cipher == NULL)
-        goto end;
+        goto err;
 
     /* Encrypt plain text message */
     if (!cipher_init(ctx, cipher, t, encrypt)
             || !EVP_CipherUpdate(ctx, ct_buf, &len, t->base.pt, t->base.pt_len)
             || !EVP_CipherFinal_ex(ctx, ct_buf + len, &ct_len))
-        goto end;
+        goto err;
 
     SELF_TEST_EVENT_oncorrupt_byte(event, ct_buf);
     ct_len += len;
     if (ct_len != (int)t->base.expected_len
         || memcmp(t->base.expected, ct_buf, ct_len) != 0)
-        goto end;
+        goto err;
 
     if (t->tag != NULL) {
         unsigned char tag[16] = { 0 };
 
         if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, t->tag_len, tag)
             || memcmp(tag, t->tag, t->tag_len) != 0)
-            goto end;
+            goto err;
     }
 
     if (!(cipher_init(ctx, cipher, t, !encrypt)
           && EVP_CipherUpdate(ctx, pt_buf, &len, ct_buf, ct_len)
           && EVP_CipherFinal_ex(ctx, pt_buf + len, &pt_len)))
-        goto end;
+        goto err;
     pt_len += len;
 
     if (pt_len != (int)t->base.pt_len
             || memcmp(pt_buf, t->base.pt, pt_len) != 0)
-        goto end;
+        goto err;
 
     ret = 1;
-end:
+err:
     EVP_CIPHER_free(cipher);
     EVP_CIPHER_CTX_free(ctx);
     SELF_TEST_EVENT_onend(event, ret);
@@ -163,33 +163,33 @@ static int self_test_kdf(const ST_KAT_KDF *t, OSSL_ST_EVENT *event,
     kdf = EVP_KDF_fetch(libctx, t->algorithm, "");
     ctx = EVP_KDF_CTX_new(kdf);
     if (ctx == NULL)
-        goto end;
+        goto err;
 
     settables = EVP_KDF_settable_ctx_params(kdf);
     for (i = 0; t->ctrls[i].name != NULL; ++i) {
         if (!ossl_assert(i < (numparams - 1)))
-            goto end;
+            goto err;
         if (!OSSL_PARAM_allocate_from_text(&params[i], settables,
                                            t->ctrls[i].name,
                                            t->ctrls[i].value,
                                            strlen(t->ctrls[i].value)))
-            goto end;
+            goto err;
     }
     if (!EVP_KDF_CTX_set_params(ctx, params))
-        goto end;
+        goto err;
 
     if (t->expected_len > sizeof(out))
-        goto end;
+        goto err;
     if (EVP_KDF_derive(ctx, out, t->expected_len) <= 0)
-        goto end;
+        goto err;
 
     SELF_TEST_EVENT_oncorrupt_byte(event, out);
 
     if (memcmp(out, t->expected,  t->expected_len) != 0)
-        goto end;
+        goto err;
 
     ret = 1;
-end:
+err:
     for (i = 0; params[i].key != NULL; ++i)
         OPENSSL_free(params[i].data);
     EVP_KDF_free(kdf);
@@ -242,14 +242,14 @@ static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_ST_EVENT *event,
 
     drbg = RAND_DRBG_new_ex(libctx, t->nid, flags, NULL);
     if (drbg == NULL)
-        goto end;
+        goto err;
 
     if (!RAND_DRBG_set_callback_data(drbg, drbg_params))
-        goto end;
+        goto err;
 
     if (!RAND_DRBG_set_callbacks(drbg, drbg_kat_entropy_cb, NULL,
                                  drbg_kat_nonce_cb, NULL))
-        goto end;
+        goto err;
 
     drbg_params[0] =
         OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
@@ -259,7 +259,7 @@ static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_ST_EVENT *event,
                                           (void *)t->nonce, t->noncelen);
 
     if (!RAND_DRBG_instantiate(drbg, t->persstr, t->persstrlen))
-        goto end;
+        goto err;
 
     drbg_params[0] =
         OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
@@ -268,7 +268,7 @@ static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_ST_EVENT *event,
 
     if (!RAND_DRBG_generate(drbg, out, t->expectedlen, prediction_resistance,
                             t->entropyaddin1, t->entropyaddin1len))
-        goto end;
+        goto err;
 
     drbg_params[0] =
         OSSL_PARAM_construct_octet_string(DRBG_PARAM_ENTROPY,
@@ -277,15 +277,16 @@ static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_ST_EVENT *event,
     /* This calls RAND_DRBG_reseed() internally when prediction_resistance = 1 */
     if (!RAND_DRBG_generate(drbg, out,  t->expectedlen, prediction_resistance,
                             t->entropyaddin2, t->entropyaddin2len))
-        goto end;
+        goto err;
 
     SELF_TEST_EVENT_oncorrupt_byte(event, out);
 
     if (memcmp(out, t->expected, t->expectedlen) != 0)
-        goto end;
+        goto err;
 
     if (!RAND_DRBG_uninstantiate(drbg))
-        goto end;
+        goto err;
+
     /*
      * TODO(3.0) : Check that the DRBG data has been zeroed after
      * RAND_DRBG_uninstantiate. Its a bit hard currently to do this when
@@ -298,11 +299,11 @@ static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_ST_EVENT *event,
 
         for (i = 0; i < sz; ++i)
             if (*p++ != 0)
-                goto end;
+                goto err;
     }
 #endif
     ret = 1;
-end:
+err:
     RAND_DRBG_free(drbg);
     SELF_TEST_EVENT_onend(event, ret);
     return ret;
-- 
2.24.1.1.gb6d4d82bd5.dirty

mspncp · 2020-02-19T07:18:24Z

I hope I find to review this some time today.

mspncp

I did a sample check of the test vectors and added some comments which makes it easier to find the original vectors.

Since the tests succeed, all seems to be fine. But do you think that one check per DRBG type suffices?

Anyway, approved with the comments added.

providers/fips/self_test_data.inc

slontis · 2020-02-20T06:38:26Z

Well that went bad.. I have partially merged your changes manually instead of clicking on the button here and getting CLA problems...

slontis · 2020-02-20T06:46:40Z

But do you think that one check per DRBG type suffices?

Yes this conforms to what is minimally required for the self tests.
Remember that these are all sanity check(s) - it is not a exhaustive check of every possible scenario for every algorithm.

slontis · 2020-02-20T06:47:22Z

Well that went bad.. I have partially merged your changes manually instead of clicking on the button here and getting CLA problems...

Could you reconfirm approval ..

mspncp · 2020-02-20T06:53:24Z

Well that went bad.. I have partially merged your changes manually instead of clicking on the button here and getting CLA problems...

Just in case your interested to know the reason: Your CLA problem is very likely caused by the fact that you configured your GitHub account to hide your primary email address. That's why GitHub committed the suggestions you accepted using the stealth address [email protected].

From 4577d4ea04419897c534c0c838556f17bb547c97 Mon Sep 17 00:00:00 2001
From: Shane <[email protected]>
Date: Thu, 20 Feb 2020 16:26:02 +1000
Subject: [PATCH] Update providers/fips/self_test_data.inc

Co-Authored-By: Matthias St. Pierre <[email protected]>

https://github.com/openssl/openssl/commit/4577d4ea04419897c534c0c838556f17bb547c97.patch

mspncp

Reconfirmed.

mspncp · 2020-02-21T16:17:54Z

Travis error is the well known timeout.

Reviewed-by: Matthias St. Pierre <[email protected]> (Merged from #11010)

mspncp · 2020-02-21T16:30:36Z

Fixed a trivial conflict caused by 2ee0dfa and merged it as 980a880.

slontis force-pushed the selftest_drbg branch from 9e2c811 to 414ee09 Compare February 4, 2020 04:01

slontis added approval: review pending This pull request needs review by a committer branch: master Applies to master branch labels Feb 7, 2020

slontis mentioned this pull request Feb 7, 2020

Add data driven SELF TEST code for signatures and key agreement #11036

Closed

2 tasks

slontis commented Feb 8, 2020

View reviewed changes

providers/fips/self_test_kats.c Outdated Show resolved Hide resolved

slontis force-pushed the selftest_drbg branch from 414ee09 to 59bfdfc Compare February 8, 2020 23:56

mspncp mentioned this pull request Feb 13, 2020

RAND_DRBG: Restore the unused EX_DATA field in the FIPS provider #11089

Closed

mspncp mentioned this pull request Feb 17, 2020

DRBG: delay initialization of DRBG method until instantiation #11111

Closed

mspncp approved these changes Feb 19, 2020

View reviewed changes

providers/fips/self_test_data.inc Outdated Show resolved Hide resolved

providers/fips/self_test_data.inc Outdated Show resolved Hide resolved

mspncp reviewed Feb 19, 2020

View reviewed changes

providers/fips/self_test_data.inc Outdated Show resolved Hide resolved

mspncp added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Feb 19, 2020

openssl-machine added the hold: cla required The contributor needs to submit a license agreement label Feb 20, 2020

slontis removed the hold: cla required The contributor needs to submit a license agreement label Feb 20, 2020

Add DRBG self tests

8b30d23

slontis force-pushed the selftest_drbg branch from 12dc615 to 8b30d23 Compare February 20, 2020 06:37

mspncp approved these changes Feb 20, 2020

View reviewed changes

mspncp added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Feb 21, 2020

openssl-machine pushed a commit that referenced this pull request Feb 21, 2020

Add DRBG self tests

980a880

Reviewed-by: Matthias St. Pierre <[email protected]> (Merged from #11010)

mspncp closed this Feb 21, 2020

Uh oh!

Conversation

slontis commented Feb 4, 2020

Checklist

Uh oh!

slontis commented Feb 8, 2020

Uh oh!

Uh oh!

slontis commented Feb 9, 2020

Uh oh!

slontis commented Feb 9, 2020

Uh oh!

mspncp commented Feb 10, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

fipshack.diff

fipstest.log

Uh oh!

slontis commented Feb 10, 2020

Uh oh!

slontis commented Feb 10, 2020

Uh oh!

mattcaswell commented Feb 10, 2020

Uh oh!

mspncp commented Feb 10, 2020

Uh oh!

mattcaswell commented Feb 10, 2020

Uh oh!

slontis commented Feb 17, 2020

Uh oh!

mspncp commented Feb 17, 2020

Uh oh!

mspncp commented Feb 17, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

paulidale commented Feb 17, 2020

Uh oh!

mspncp commented Feb 17, 2020

Uh oh!

mspncp commented Feb 17, 2020

Uh oh!

mspncp commented Feb 19, 2020

Uh oh!

mspncp left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

slontis commented Feb 20, 2020

Uh oh!

slontis commented Feb 20, 2020

Uh oh!

slontis commented Feb 20, 2020

Uh oh!

mspncp commented Feb 20, 2020

Uh oh!

mspncp left a comment

Choose a reason for hiding this comment

Uh oh!

mspncp commented Feb 21, 2020

Uh oh!

mspncp commented Feb 21, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

mspncp commented Feb 10, 2020 •

edited

Loading

mspncp commented Feb 17, 2020 •

edited

Loading