summaryrefslogtreecommitdiffstats
path: root/test/drbgtest.c
diff options
context:
space:
mode:
authorDr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>2018-10-21 15:45:34 +0200
committerDr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>2018-10-26 08:38:19 +0200
commit8817215d5c52a76f2b184b624bde4df8556dee6d (patch)
tree118f99760ecc7966a77d2f91347e3be79bb6c258 /test/drbgtest.c
parentRAND_load_file(): avoid adding small chunks to RAND_add() (diff)
downloadopenssl-8817215d5c52a76f2b184b624bde4df8556dee6d.tar.xz
openssl-8817215d5c52a76f2b184b624bde4df8556dee6d.zip
RAND_add()/RAND_seed(): fix failure on short input or low entropy
Commit 5b4cb385c18a (#7382) introduced a bug which had the effect that RAND_add()/RAND_seed() failed for buffer sizes less than 32 bytes. The reason was that now the added random data was used exlusively as entropy source for reseeding. When the random input was too short or contained not enough entropy, the DRBG failed without querying the available entropy sources. This commit makes drbg_add() act smarter: it checks the entropy requirements explicitely. If the random input fails this check, it won't be added as entropy input, but only as additional data. More precisely, the behaviour depends on whether an os entropy source was configured (which is the default on most os): - If an os entropy source is avaible then we declare the buffer content as additional data by setting randomness to zero and trigger a regular reseeding. - If no os entropy source is available, a reseeding will fail inevitably. So drbg_add() uses a trick to mix the buffer contents into the DRBG state without forcing a reseeding: it generates a dummy random byte, using the buffer content as additional data. Related-to: #7449 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7456)
Diffstat (limited to '')
-rw-r--r--test/drbgtest.c124
1 files changed, 84 insertions, 40 deletions
diff --git a/test/drbgtest.c b/test/drbgtest.c
index bb51e01210..882fef82d4 100644
--- a/test/drbgtest.c
+++ b/test/drbgtest.c
@@ -677,7 +677,7 @@ static int test_drbg_reseed(int expect_success,
* setup correctly, in particular whether reseeding works
* as designed.
*/
-static int test_rand_reseed(void)
+static int test_rand_drbg_reseed(void)
{
RAND_DRBG *master, *public, *private;
unsigned char rand_add_buf[256];
@@ -884,64 +884,107 @@ static int test_multi_thread(void)
}
#endif
+#ifdef OPENSSL_RAND_SEED_NONE
/*
- * This function only returns the entropy already added with RAND_add(),
- * and does not get entropy from the OS.
+ * Calculates the minimum buffer length which needs to be
+ * provided to RAND_seed() in order to successfully
+ * instantiate the DRBG.
*
- * Returns 0 on failure and the size of the buffer on success.
+ * Copied from rand_drbg_seedlen() in rand_drbg.c
*/
-static size_t get_pool_entropy(RAND_DRBG *drbg,
- unsigned char **pout,
- int entropy, size_t min_len, size_t max_len,
- int prediction_resistance)
+static size_t rand_drbg_seedlen(RAND_DRBG *drbg)
{
- if (drbg->pool == NULL)
- return 0;
+ /*
+ * If no os entropy source is available then RAND_seed(buffer, bufsize)
+ * is expected to succeed if and only if the buffer length satisfies
+ * the following requirements, which follow from the calculations
+ * in RAND_DRBG_instantiate().
+ */
+ size_t min_entropy = drbg->strength;
+ size_t min_entropylen = drbg->min_entropylen;
- if (drbg->pool->entropy < (size_t)entropy || drbg->pool->len < min_len
- || drbg->pool->len > max_len)
- return 0;
+ /*
+ * Extra entropy for the random nonce in the absence of a
+ * get_nonce callback, see comment in RAND_DRBG_instantiate().
+ */
+ if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) {
+ min_entropy += drbg->strength / 2;
+ min_entropylen += drbg->min_noncelen;
+ }
+
+ /*
+ * Convert entropy requirement from bits to bytes
+ * (dividing by 8 without rounding upwards, because
+ * all entropy requirements are divisible by 8).
+ */
+ min_entropy >>= 3;
- *pout = drbg->pool->buffer;
- return drbg->pool->len;
+ /* Return a value that satisfies both requirements */
+ return min_entropy > min_entropylen ? min_entropy : min_entropylen;
}
+#endif /*OPENSSL_RAND_SEED_NONE*/
/*
- * Clean up the entropy that get_pool_entropy() returned.
+ * Test that instantiation with RAND_seed() works as expected
+ *
+ * If no os entropy source is available then RAND_seed(buffer, bufsize)
+ * is expected to succeed if and only if the buffer length is at least
+ * rand_drbg_seedlen(master) bytes.
+ *
+ * If an os entropy source is available then RAND_seed(buffer, bufsize)
+ * is expected to succeed always.
*/
-static void cleanup_pool_entropy(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
+static int test_rand_seed(void)
{
- OPENSSL_free(drbg->pool);
- drbg->pool = NULL;
+ RAND_DRBG *master = RAND_DRBG_get0_master();
+ unsigned char rand_buf[256];
+ size_t rand_buflen;
+#ifdef OPENSSL_RAND_SEED_NONE
+ size_t required_seed_buflen = rand_drbg_seedlen(master);
+#else
+ size_t required_seed_buflen = 0;
+#endif
+
+ memset(rand_buf, 0xCD, sizeof(rand_buf));
+
+ for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) {
+ RAND_DRBG_uninstantiate(master);
+ RAND_seed(rand_buf, rand_buflen);
+
+ if (!TEST_int_eq(RAND_status(),
+ (rand_buflen >= required_seed_buflen)))
+ return 0;
+ }
+
+ return 1;
}
/*
- * Test that instantiating works when OS entropy is not available and that
- * RAND_add() is enough to reseed it.
+ * Test that adding additional data with RAND_add() works as expected
+ * when the master DRBG is instantiated (and below its reseed limit).
+ *
+ * This should succeed regardless of whether an os entropy source is
+ * available or not.
*/
static int test_rand_add(void)
{
- RAND_DRBG *master = RAND_DRBG_get0_master();
- RAND_DRBG_get_entropy_fn old_get_entropy = master->get_entropy;
- RAND_DRBG_cleanup_entropy_fn old_cleanup_entropy = master->cleanup_entropy;
- int rv = 0;
- unsigned char rand_add_buf[256];
+ unsigned char rand_buf[256];
+ size_t rand_buflen;
- master->get_entropy = get_pool_entropy;
- master->cleanup_entropy = cleanup_pool_entropy;
- master->reseed_prop_counter++;
- RAND_DRBG_uninstantiate(master);
- memset(rand_add_buf, 0xCD, sizeof(rand_add_buf));
- RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
- if (!TEST_true(RAND_DRBG_instantiate(master, NULL, 0)))
- goto error;
+ memset(rand_buf, 0xCD, sizeof(rand_buf));
- rv = 1;
+ /* make sure it's instantiated */
+ RAND_seed(rand_buf, sizeof(rand_buf));
+ if (!TEST_true(RAND_status()))
+ return 0;
-error:
- master->get_entropy = old_get_entropy;
- master->cleanup_entropy = old_cleanup_entropy;
- return rv;
+ for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) {
+ RAND_add(rand_buf, rand_buflen, 0.0);
+ if (!TEST_true(RAND_status()))
+ return 0;
+ }
+
+ return 1;
}
static int test_multi_set(void)
@@ -1067,7 +1110,8 @@ int setup_tests(void)
ADD_ALL_TESTS(test_kats, OSSL_NELEM(drbg_test));
ADD_ALL_TESTS(test_error_checks, OSSL_NELEM(drbg_test));
- ADD_TEST(test_rand_reseed);
+ ADD_TEST(test_rand_drbg_reseed);
+ ADD_TEST(test_rand_seed);
ADD_TEST(test_rand_add);
ADD_TEST(test_multi_set);
ADD_TEST(test_set_defaults);