2 * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/nelem.h"
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include <openssl/obj_mac.h>
16 #include <openssl/evp.h>
17 #include <openssl/aes.h>
18 #include "../crypto/rand/rand_local.h"
19 #include "../include/crypto/rand.h"
26 #if defined(OPENSSL_SYS_UNIX)
27 # include <sys/types.h>
28 # include <sys/wait.h>
35 typedef struct drbg_selftest_data_st {
40 /* KAT data for no PR */
41 const unsigned char *entropy;
43 const unsigned char *nonce;
45 const unsigned char *pers;
47 const unsigned char *adin;
49 const unsigned char *entropyreseed;
50 size_t entropyreseedlen;
51 const unsigned char *adinreseed;
53 const unsigned char *adin2;
55 const unsigned char *expected;
57 const unsigned char *kat2;
61 const unsigned char *entropy_pr;
63 const unsigned char *nonce_pr;
65 const unsigned char *pers_pr;
67 const unsigned char *adin_pr;
69 const unsigned char *entropypr_pr;
70 size_t entropyprlen_pr;
71 const unsigned char *ading_pr;
73 const unsigned char *entropyg_pr;
74 size_t entropyglen_pr;
75 const unsigned char *kat_pr;
77 const unsigned char *kat2_pr;
81 #define make_drbg_test_data(nid, flag, pr, post) {\
83 pr##_entropyinput, sizeof(pr##_entropyinput), \
84 pr##_nonce, sizeof(pr##_nonce), \
85 pr##_personalizationstring, sizeof(pr##_personalizationstring), \
86 pr##_additionalinput, sizeof(pr##_additionalinput), \
87 pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
88 pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
89 pr##_additionalinput2, sizeof(pr##_additionalinput2), \
90 pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
91 pr##_returnedbits, sizeof(pr##_returnedbits), \
92 pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
93 pr##_pr_nonce, sizeof(pr##_pr_nonce), \
94 pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
95 pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
96 pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
97 pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
98 pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
99 pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
100 pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \
103 #define make_drbg_test_data_use_df(nid, pr, p) \
104 make_drbg_test_data(nid, 0, pr, p)
106 #define make_drbg_test_data_no_df(nid, pr, p) \
107 make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_NO_DF, pr, p)
109 static DRBG_SELFTEST_DATA drbg_test[] = {
110 make_drbg_test_data_no_df (NID_aes_128_ctr, aes_128_no_df, 0),
111 make_drbg_test_data_no_df (NID_aes_192_ctr, aes_192_no_df, 0),
112 make_drbg_test_data_no_df (NID_aes_256_ctr, aes_256_no_df, 1),
113 make_drbg_test_data_use_df(NID_aes_128_ctr, aes_128_use_df, 0),
114 make_drbg_test_data_use_df(NID_aes_192_ctr, aes_192_use_df, 0),
115 make_drbg_test_data_use_df(NID_aes_256_ctr, aes_256_use_df, 1),
118 static int app_data_index;
121 * Test context data, attached as EXDATA to the RAND_DRBG
123 typedef struct test_ctx_st {
124 const unsigned char *entropy;
127 const unsigned char *nonce;
132 static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
133 int entropy, size_t min_len, size_t max_len,
134 int prediction_resistance)
136 TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
139 *pout = (unsigned char *)t->entropy;
140 return t->entropylen;
143 static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
144 int entropy, size_t min_len, size_t max_len)
146 TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
149 *pout = (unsigned char *)t->nonce;
153 static int uninstantiate(RAND_DRBG *drbg)
155 int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
162 * Do a single KAT test. Return 0 on failure.
164 static int single_kat(DRBG_SELFTEST_DATA *td)
166 RAND_DRBG *drbg = NULL;
169 unsigned char buff[1024];
172 * Test without PR: Instantiate DRBG with test entropy, nonce and
173 * personalisation string.
175 if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
177 if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
182 memset(&t, 0, sizeof(t));
183 t.entropy = td->entropy;
184 t.entropylen = td->entropylen;
186 t.noncelen = td->noncelen;
187 RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
189 if (!TEST_true(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
190 || !TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
191 td->adin, td->adinlen))
192 || !TEST_mem_eq(td->expected, td->exlen, buff, td->exlen))
195 /* Reseed DRBG with test entropy and additional input */
196 t.entropy = td->entropyreseed;
197 t.entropylen = td->entropyreseedlen;
198 if (!TEST_true(RAND_DRBG_reseed(drbg, td->adinreseed, td->adinreseedlen, 0)
199 || !TEST_true(RAND_DRBG_generate(drbg, buff, td->kat2len, 0,
200 td->adin2, td->adin2len))
201 || !TEST_mem_eq(td->kat2, td->kat2len, buff, td->kat2len)))
206 * Now test with PR: Instantiate DRBG with test entropy, nonce and
207 * personalisation string.
209 if (!TEST_true(RAND_DRBG_set(drbg, td->nid, td->flags))
210 || !TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
213 RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
214 t.entropy = td->entropy_pr;
215 t.entropylen = td->entropylen_pr;
216 t.nonce = td->nonce_pr;
217 t.noncelen = td->noncelen_pr;
220 if (!TEST_true(RAND_DRBG_instantiate(drbg, td->pers_pr, td->perslen_pr)))
224 * Now generate with PR: we need to supply entropy as this will
225 * perform a reseed operation.
227 t.entropy = td->entropypr_pr;
228 t.entropylen = td->entropyprlen_pr;
229 if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->katlen_pr, 1,
230 td->adin_pr, td->adinlen_pr))
231 || !TEST_mem_eq(td->kat_pr, td->katlen_pr, buff, td->katlen_pr))
235 * Now generate again with PR: supply new entropy again.
237 t.entropy = td->entropyg_pr;
238 t.entropylen = td->entropyglen_pr;
240 if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->kat2len_pr, 1,
241 td->ading_pr, td->adinglen_pr))
242 || !TEST_mem_eq(td->kat2_pr, td->kat2len_pr,
243 buff, td->kat2len_pr))
248 RAND_DRBG_free(drbg);
249 return failures == 0;
253 * Initialise a DRBG based on selftest data
255 static int init(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td, TEST_CTX *t)
257 if (!TEST_true(RAND_DRBG_set(drbg, td->nid, td->flags))
258 || !TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
261 RAND_DRBG_set_ex_data(drbg, app_data_index, t);
262 t->entropy = td->entropy;
263 t->entropylen = td->entropylen;
264 t->nonce = td->nonce;
265 t->noncelen = td->noncelen;
272 * Initialise and instantiate DRBG based on selftest data
274 static int instantiate(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td,
277 if (!TEST_true(init(drbg, td, t))
278 || !TEST_true(RAND_DRBG_instantiate(drbg, td->pers, td->perslen)))
284 * Perform extensive error checking as required by SP800-90.
285 * Induce several failure modes and check an error condition is set.
287 static int error_check(DRBG_SELFTEST_DATA *td)
289 RAND_DRBG *drbg = NULL;
291 unsigned char buff[1024];
292 unsigned int reseed_counter_tmp;
295 if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
299 * Personalisation string tests
302 /* Test detection of too large personalisation string */
303 if (!init(drbg, td, &t)
304 || !TEST_false(RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1)))
308 * Entropy source tests
311 /* Test entropy source failure detection: i.e. returns no data */
313 if (!TEST_false(RAND_DRBG_instantiate(drbg, td->pers, td->perslen)))
316 /* Try to generate output from uninstantiated DRBG */
317 if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
318 td->adin, td->adinlen))
319 || !uninstantiate(drbg))
322 /* Test insufficient entropy */
323 if (!init(drbg, td, &t))
325 t.entropylen = drbg->min_entropylen - 1;
326 if (!TEST_false(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
327 || !uninstantiate(drbg))
330 /* Test too much entropy */
331 if (!init(drbg, td, &t))
333 t.entropylen = drbg->max_entropylen + 1;
334 if (!TEST_false(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
335 || !uninstantiate(drbg))
342 /* Test too small nonce */
343 if (drbg->min_noncelen) {
344 if (!init(drbg, td, &t))
346 t.noncelen = drbg->min_noncelen - 1;
347 if (!TEST_false(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
348 || !uninstantiate(drbg))
352 /* Test too large nonce */
353 if (drbg->max_noncelen) {
354 if (!init(drbg, td, &t))
356 t.noncelen = drbg->max_noncelen + 1;
357 if (!TEST_false(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
358 || !uninstantiate(drbg))
362 /* Instantiate with valid data, Check generation is now OK */
363 if (!instantiate(drbg, td, &t)
364 || !TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
365 td->adin, td->adinlen)))
368 /* Request too much data for one request */
369 if (!TEST_false(RAND_DRBG_generate(drbg, buff, drbg->max_request + 1, 0,
370 td->adin, td->adinlen)))
373 /* Try too large additional input */
374 if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
375 td->adin, drbg->max_adinlen + 1)))
379 * Check prediction resistance request fails if entropy source
383 if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 1,
384 td->adin, td->adinlen))
385 || !uninstantiate(drbg))
388 /* Instantiate again with valid data */
389 if (!instantiate(drbg, td, &t))
391 reseed_counter_tmp = drbg->generate_counter;
392 drbg->generate_counter = drbg->reseed_interval;
394 /* Generate output and check entropy has been requested for reseed */
396 if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
397 td->adin, td->adinlen))
398 || !TEST_int_eq(t.entropycnt, 1)
399 || !TEST_int_eq(drbg->generate_counter, reseed_counter_tmp + 1)
400 || !uninstantiate(drbg))
404 * Check prediction resistance request fails if entropy source
408 if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 1,
409 td->adin, td->adinlen))
410 || !uninstantiate(drbg))
413 /* Test reseed counter works */
414 if (!instantiate(drbg, td, &t))
416 reseed_counter_tmp = drbg->generate_counter;
417 drbg->generate_counter = drbg->reseed_interval;
419 /* Generate output and check entropy has been requested for reseed */
421 if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
422 td->adin, td->adinlen))
423 || !TEST_int_eq(t.entropycnt, 1)
424 || !TEST_int_eq(drbg->generate_counter, reseed_counter_tmp + 1)
425 || !uninstantiate(drbg))
429 * Explicit reseed tests
432 /* Test explicit reseed with too large additional input */
433 if (!instantiate(drbg, td, &t)
434 || !TEST_false(RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0)))
437 /* Test explicit reseed with entropy source failure */
439 if (!TEST_false(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0))
440 || !uninstantiate(drbg))
443 /* Test explicit reseed with too much entropy */
444 if (!instantiate(drbg, td, &t))
446 t.entropylen = drbg->max_entropylen + 1;
447 if (!TEST_false(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0))
448 || !uninstantiate(drbg))
451 /* Test explicit reseed with too little entropy */
452 if (!instantiate(drbg, td, &t))
454 t.entropylen = drbg->min_entropylen - 1;
455 if (!TEST_false(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0))
456 || !uninstantiate(drbg))
463 RAND_DRBG_free(drbg);
467 static int test_kats(int i)
469 DRBG_SELFTEST_DATA *td = &drbg_test[i];
480 static int test_error_checks(int i)
482 DRBG_SELFTEST_DATA *td = &drbg_test[i];
485 if (!error_check(td))
494 * Hook context data, attached as EXDATA to the RAND_DRBG
496 typedef struct hook_ctx_st {
499 * Currently, all DRBGs use the same get_entropy() callback.
500 * The tests however, don't assume this and store
501 * the original callback for every DRBG separately.
503 RAND_DRBG_get_entropy_fn get_entropy;
504 /* forces a failure of the get_entropy() call if nonzero */
506 /* counts successful reseeds */
510 static HOOK_CTX master_ctx, public_ctx, private_ctx;
512 static HOOK_CTX *get_hook_ctx(RAND_DRBG *drbg)
514 return (HOOK_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
517 /* Intercepts and counts calls to the get_entropy() callback */
518 static size_t get_entropy_hook(RAND_DRBG *drbg, unsigned char **pout,
519 int entropy, size_t min_len, size_t max_len,
520 int prediction_resistance)
523 HOOK_CTX *ctx = get_hook_ctx(drbg);
528 ret = ctx->get_entropy(drbg, pout, entropy, min_len, max_len,
529 prediction_resistance);
536 /* Installs a hook for the get_entropy() callback of the given drbg */
537 static void hook_drbg(RAND_DRBG *drbg, HOOK_CTX *ctx)
539 memset(ctx, 0, sizeof(*ctx));
541 ctx->get_entropy = drbg->get_entropy;
542 drbg->get_entropy = get_entropy_hook;
543 RAND_DRBG_set_ex_data(drbg, app_data_index, ctx);
546 /* Installs the hook for the get_entropy() callback of the given drbg */
547 static void unhook_drbg(RAND_DRBG *drbg)
549 HOOK_CTX *ctx = get_hook_ctx(drbg);
551 drbg->get_entropy = ctx->get_entropy;
552 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data);
555 /* Resets the given hook context */
556 static void reset_hook_ctx(HOOK_CTX *ctx)
559 ctx->reseed_count = 0;
562 /* Resets all drbg hook contexts */
563 static void reset_drbg_hook_ctx(void)
565 reset_hook_ctx(&master_ctx);
566 reset_hook_ctx(&public_ctx);
567 reset_hook_ctx(&private_ctx);
571 * Generates random output using RAND_bytes() and RAND_priv_bytes()
572 * and checks whether the three shared DRBGs were reseeded as
575 * |expect_success|: expected outcome (as reported by RAND_status())
576 * |master|, |public|, |private|: pointers to the three shared DRBGs
577 * |expect_xxx_reseed| =
578 * 1: it is expected that the specified DRBG is reseeded
579 * 0: it is expected that the specified DRBG is not reseeded
580 * -1: don't check whether the specified DRBG was reseeded or not
581 * |reseed_time|: if nonzero, used instead of time(NULL) to set the
582 * |before_reseed| time.
584 static int test_drbg_reseed(int expect_success,
588 int expect_master_reseed,
589 int expect_public_reseed,
590 int expect_private_reseed,
594 unsigned char buf[32];
595 time_t before_reseed, after_reseed;
596 int expected_state = (expect_success ? DRBG_READY : DRBG_ERROR);
599 * step 1: check preconditions
602 /* Test whether seed propagation is enabled */
603 if (!TEST_int_ne(master->reseed_counter, 0)
604 || !TEST_int_ne(public->reseed_counter, 0)
605 || !TEST_int_ne(private->reseed_counter, 0))
608 /* Check whether the master DRBG's reseed counter is the largest one */
609 if (!TEST_int_le(public->reseed_counter, master->reseed_counter)
610 || !TEST_int_le(private->reseed_counter, master->reseed_counter))
614 * step 2: generate random output
617 if (reseed_time == 0)
618 reseed_time = time(NULL);
620 /* Generate random output from the public and private DRBG */
621 before_reseed = expect_master_reseed == 1 ? reseed_time : 0;
622 if (!TEST_int_eq(RAND_bytes(buf, sizeof(buf)), expect_success)
623 || !TEST_int_eq(RAND_priv_bytes(buf, sizeof(buf)), expect_success))
625 after_reseed = time(NULL);
629 * step 3: check postconditions
632 /* Test whether reseeding succeeded as expected */
633 if (!TEST_int_eq(master->state, expected_state)
634 || !TEST_int_eq(public->state, expected_state)
635 || !TEST_int_eq(private->state, expected_state))
638 if (expect_master_reseed >= 0) {
639 /* Test whether master DRBG was reseeded as expected */
640 if (!TEST_int_eq(master_ctx.reseed_count, expect_master_reseed))
644 if (expect_public_reseed >= 0) {
645 /* Test whether public DRBG was reseeded as expected */
646 if (!TEST_int_eq(public_ctx.reseed_count, expect_public_reseed))
650 if (expect_private_reseed >= 0) {
651 /* Test whether public DRBG was reseeded as expected */
652 if (!TEST_int_eq(private_ctx.reseed_count, expect_private_reseed))
656 if (expect_success == 1) {
657 /* Test whether all three reseed counters are synchronized */
658 if (!TEST_int_eq(public->reseed_counter, master->reseed_counter)
659 || !TEST_int_eq(private->reseed_counter, master->reseed_counter))
662 /* Test whether reseed time of master DRBG is set correctly */
663 if (!TEST_time_t_le(before_reseed, master->reseed_time)
664 || !TEST_time_t_le(master->reseed_time, after_reseed))
667 /* Test whether reseed times of child DRBGs are synchronized with master */
668 if (!TEST_time_t_ge(public->reseed_time, master->reseed_time)
669 || !TEST_time_t_ge(private->reseed_time, master->reseed_time))
679 #if defined(OPENSSL_SYS_UNIX)
681 * Test whether master, public and private DRBG are reseeded after
682 * forking the process.
684 static int test_drbg_reseed_after_fork(RAND_DRBG *master,
692 if (!TEST_int_ge(pid, 0))
696 /* I'm the parent; wait for the child and check its exit code */
697 return TEST_int_eq(waitpid(pid, &status, 0), pid) && TEST_int_eq(status, 0);
700 /* I'm the child; check whether all three DRBGs reseed. */
701 if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1, 0)))
707 unhook_drbg(private);
713 * Test whether the default rand_method (RAND_OpenSSL()) is
714 * setup correctly, in particular whether reseeding works
717 static int test_rand_drbg_reseed(void)
719 RAND_DRBG *master, *public, *private;
720 unsigned char rand_add_buf[256];
722 time_t before_reseed;
724 /* Check whether RAND_OpenSSL() is the default method */
725 if (!TEST_ptr_eq(RAND_get_rand_method(), RAND_OpenSSL()))
728 /* All three DRBGs should be non-null */
729 if (!TEST_ptr(master = RAND_DRBG_get0_master())
730 || !TEST_ptr(public = RAND_DRBG_get0_public())
731 || !TEST_ptr(private = RAND_DRBG_get0_private()))
734 /* There should be three distinct DRBGs, two of them chained to master */
735 if (!TEST_ptr_ne(public, private)
736 || !TEST_ptr_ne(public, master)
737 || !TEST_ptr_ne(private, master)
738 || !TEST_ptr_eq(public->parent, master)
739 || !TEST_ptr_eq(private->parent, master))
742 /* uninstantiate the three global DRBGs */
743 RAND_DRBG_uninstantiate(private);
744 RAND_DRBG_uninstantiate(public);
745 RAND_DRBG_uninstantiate(master);
748 /* Install hooks for the following tests */
749 hook_drbg(master, &master_ctx);
750 hook_drbg(public, &public_ctx);
751 hook_drbg(private, &private_ctx);
755 * Test initial seeding of shared DRBGs
757 if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1, 0)))
759 reset_drbg_hook_ctx();
763 * Test initial state of shared DRBGs
765 if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 0, 0, 0)))
767 reset_drbg_hook_ctx();
770 * Test whether the public and private DRBG are both reseeded when their
771 * reseed counters differ from the master's reseed counter.
773 master->reseed_counter++;
774 if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 1, 0)))
776 reset_drbg_hook_ctx();
779 * Test whether the public DRBG is reseeded when its reseed counter differs
780 * from the master's reseed counter.
782 master->reseed_counter++;
783 private->reseed_counter++;
784 if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 0, 0)))
786 reset_drbg_hook_ctx();
789 * Test whether the private DRBG is reseeded when its reseed counter differs
790 * from the master's reseed counter.
792 master->reseed_counter++;
793 public->reseed_counter++;
794 if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 0, 1, 0)))
796 reset_drbg_hook_ctx();
798 #if defined(OPENSSL_SYS_UNIX)
799 if (!TEST_true(test_drbg_reseed_after_fork(master, public, private)))
803 /* fill 'randomness' buffer with some arbitrary data */
804 memset(rand_add_buf, 'r', sizeof(rand_add_buf));
807 * Test whether all three DRBGs are reseeded by RAND_add().
808 * The before_reseed time has to be measured here and passed into the
809 * test_drbg_reseed() test, because the master DRBG gets already reseeded
810 * in RAND_add(), whence the check for the condition
811 * before_reseed <= master->reseed_time will fail if the time value happens
812 * to increase between the RAND_add() and the test_drbg_reseed() call.
814 before_reseed = time(NULL);
815 RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
816 if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1,
819 reset_drbg_hook_ctx();
823 * Test whether none of the DRBGs is reseed if the master fails to reseed
826 master->reseed_counter++;
827 RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
828 if (!TEST_true(test_drbg_reseed(0, master, public, private, 0, 0, 0, 0)))
830 reset_drbg_hook_ctx();
838 unhook_drbg(private);
843 #if defined(OPENSSL_THREADS)
844 static int multi_thread_rand_bytes_succeeded = 1;
845 static int multi_thread_rand_priv_bytes_succeeded = 1;
847 static void run_multi_thread_test(void)
849 unsigned char buf[256];
850 time_t start = time(NULL);
851 RAND_DRBG *public = NULL, *private = NULL;
853 if (!TEST_ptr(public = RAND_DRBG_get0_public())
854 || !TEST_ptr(private = RAND_DRBG_get0_private())) {
855 multi_thread_rand_bytes_succeeded = 0;
858 RAND_DRBG_set_reseed_time_interval(private, 1);
859 RAND_DRBG_set_reseed_time_interval(public, 1);
862 if (RAND_bytes(buf, sizeof(buf)) <= 0)
863 multi_thread_rand_bytes_succeeded = 0;
864 if (RAND_priv_bytes(buf, sizeof(buf)) <= 0)
865 multi_thread_rand_priv_bytes_succeeded = 0;
867 while(time(NULL) - start < 5);
870 # if defined(OPENSSL_SYS_WINDOWS)
872 typedef HANDLE thread_t;
874 static DWORD WINAPI thread_run(LPVOID arg)
876 run_multi_thread_test();
878 * Because we're linking with a static library, we must stop each
879 * thread explicitly, or so says OPENSSL_thread_stop(3)
881 OPENSSL_thread_stop();
885 static int run_thread(thread_t *t)
887 *t = CreateThread(NULL, 0, thread_run, NULL, 0, NULL);
891 static int wait_for_thread(thread_t thread)
893 return WaitForSingleObject(thread, INFINITE) == 0;
898 typedef pthread_t thread_t;
900 static void *thread_run(void *arg)
902 run_multi_thread_test();
904 * Because we're linking with a static library, we must stop each
905 * thread explicitly, or so says OPENSSL_thread_stop(3)
907 OPENSSL_thread_stop();
911 static int run_thread(thread_t *t)
913 return pthread_create(t, NULL, thread_run, NULL) == 0;
916 static int wait_for_thread(thread_t thread)
918 return pthread_join(thread, NULL) == 0;
924 * The main thread will also run the test, so we'll have THREADS+1 parallel
929 static int test_multi_thread(void)
934 for (i = 0; i < THREADS; i++)
936 run_multi_thread_test();
937 for (i = 0; i < THREADS; i++)
938 wait_for_thread(t[i]);
940 if (!TEST_true(multi_thread_rand_bytes_succeeded))
942 if (!TEST_true(multi_thread_rand_priv_bytes_succeeded))
950 * Test that instantiation with RAND_seed() works as expected
952 * If no os entropy source is available then RAND_seed(buffer, bufsize)
953 * is expected to succeed if and only if the buffer length is at least
954 * rand_drbg_seedlen(master) bytes.
956 * If an os entropy source is available then RAND_seed(buffer, bufsize)
957 * is expected to succeed always.
959 static int test_rand_seed(void)
961 RAND_DRBG *master = NULL;
962 unsigned char rand_buf[256];
964 size_t required_seed_buflen = 0;
966 if (!TEST_ptr(master = RAND_DRBG_get0_master()))
969 #ifdef OPENSSL_RAND_SEED_NONE
970 required_seed_buflen = rand_drbg_seedlen(master);
973 memset(rand_buf, 0xCD, sizeof(rand_buf));
975 for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) {
976 RAND_DRBG_uninstantiate(master);
977 RAND_seed(rand_buf, rand_buflen);
979 if (!TEST_int_eq(RAND_status(),
980 (rand_buflen >= required_seed_buflen)))
988 * Test that adding additional data with RAND_add() works as expected
989 * when the master DRBG is instantiated (and below its reseed limit).
991 * This should succeed regardless of whether an os entropy source is
994 static int test_rand_add(void)
996 unsigned char rand_buf[256];
999 memset(rand_buf, 0xCD, sizeof(rand_buf));
1001 /* make sure it's instantiated */
1002 RAND_seed(rand_buf, sizeof(rand_buf));
1003 if (!TEST_true(RAND_status()))
1006 for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) {
1007 RAND_add(rand_buf, rand_buflen, 0.0);
1008 if (!TEST_true(RAND_status()))
1015 int setup_tests(void)
1017 app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
1019 ADD_ALL_TESTS(test_kats, OSSL_NELEM(drbg_test));
1020 ADD_ALL_TESTS(test_error_checks, OSSL_NELEM(drbg_test));
1021 ADD_TEST(test_rand_drbg_reseed);
1022 ADD_TEST(test_rand_seed);
1023 ADD_TEST(test_rand_add);
1024 #if defined(OPENSSL_THREADS)
1025 ADD_TEST(test_multi_thread);