diff --git a/CHANGES b/CHANGES index 9395529e39da8c5bbed8cebf0dffed0bc545990c..7709cc2ef41835c217cd80f90b8c934a1b529af5 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,12 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] + *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*. + This shouldn't present any incompatibility problems because applications + shouldn't be using these directly and any that are will need to rethink + anyway as the X9.31 PRNG is now deprecated by FIPS 140-2 + [Steve Henson] + *) Extensive self tests and health checking required by SP800-90 DRBG. Remove strength parameter from FIPS_drbg_instantiate and always instantiate at maximum supported strength. diff --git a/fips/fips.c b/fips/fips.c index e8d99c50044990abaa1bd0502935a1ed78accf13..42f400311956288e89165bc29ad251134f968b17 100644 --- a/fips/fips.c +++ b/fips/fips.c @@ -323,7 +323,7 @@ int FIPS_mode_set(int onoff) } /* Perform RNG KAT before seeding */ - if (!FIPS_selftest_rng()) + if (!FIPS_selftest_x931()) { fips_selftest_fail = 1; ret = 0; diff --git a/fips/fips.h b/fips/fips.h index 6f736550204666bdae601197b8f6843a446b015f..e4c32664dfbeb458228db37ccae0b527e376fafd 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -89,11 +89,11 @@ int FIPS_selftest_dsa(void); int FIPS_selftest_ecdsa(void); void FIPS_corrupt_ecdsa(void); void FIPS_corrupt_ec_keygen(void); -void FIPS_corrupt_rng(void); +void FIPS_corrupt_x931(void); void FIPS_corrupt_drbg(void); -void FIPS_rng_stick(void); +void FIPS_x931_stick(void); void FIPS_drbg_stick(void); -int FIPS_selftest_rng(void); +int FIPS_selftest_x931(void); int FIPS_selftest_hmac(void); int FIPS_selftest_drbg(void); int FIPS_selftest_cmac(void); diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c index aa7fbf814f0952a2af0e109c131c10b2879e8c7f..c82dffea88537dfa3616589950ef013bd488b5b8 100644 --- a/fips/fips_test_suite.c +++ b/fips/fips_test_suite.c @@ -723,7 +723,7 @@ int main(int argc,char **argv) } else if (!strcmp(argv[1], "drbg")) { FIPS_corrupt_drbg(); } else if (!strcmp(argv[1], "rng")) { - FIPS_corrupt_rng(); + FIPS_corrupt_x931(); } else if (!strcmp(argv[1], "rngstick")) { do_rng_stick = 1; no_exit = 1; @@ -764,7 +764,7 @@ int main(int argc,char **argv) if (do_drbg_stick) FIPS_drbg_stick(); if (do_rng_stick) - FIPS_rng_stick(); + FIPS_x931_stick(); /* AES encryption/decryption */ diff --git a/fips/rand/fips_rand.c b/fips/rand/fips_rand.c index ebe0f735fc305dde8c9b5c8d6dc7bc229cae82e5..d56b940a6d9d1dfdda9d113d43ac1efa6e047de9 100644 --- a/fips/rand/fips_rand.c +++ b/fips/rand/fips_rand.c @@ -111,7 +111,7 @@ static FIPS_PRNG_CTX sctx; static int fips_prng_fail = 0; -void FIPS_rng_stick(void) +void FIPS_x931_stick(void) { fips_prng_fail = 1; } @@ -205,12 +205,12 @@ static int fips_set_test_mode(FIPS_PRNG_CTX *ctx) return 1; } -int FIPS_rand_test_mode(void) +int FIPS_x931_test_mode(void) { return fips_set_test_mode(&sctx); } -int FIPS_rand_set_dt(unsigned char *dt) +int FIPS_x931_set_dt(unsigned char *dt) { if (!sctx.test_mode) { @@ -339,7 +339,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx, } -int FIPS_rand_set_key(const unsigned char *key, int keylen) +int FIPS_x931_set_key(const unsigned char *key, int keylen) { int ret; CRYPTO_w_lock(CRYPTO_LOCK_RAND); @@ -348,7 +348,7 @@ int FIPS_rand_set_key(const unsigned char *key, int keylen) return ret; } -int FIPS_rand_seed(const void *seed, int seedlen) +int FIPS_x931_seed(const void *seed, int seedlen) { int ret; CRYPTO_w_lock(CRYPTO_LOCK_RAND); @@ -358,7 +358,7 @@ int FIPS_rand_seed(const void *seed, int seedlen) } -int FIPS_rand_bytes(unsigned char *out, int count) +int FIPS_x931_bytes(unsigned char *out, int count) { int ret; CRYPTO_w_lock(CRYPTO_LOCK_RAND); @@ -367,7 +367,7 @@ int FIPS_rand_bytes(unsigned char *out, int count) return ret; } -int FIPS_rand_status(void) +int FIPS_x931_status(void) { int ret; CRYPTO_r_lock(CRYPTO_LOCK_RAND); @@ -376,7 +376,7 @@ int FIPS_rand_status(void) return ret; } -void FIPS_rand_reset(void) +void FIPS_x931_reset(void) { CRYPTO_w_lock(CRYPTO_LOCK_RAND); fips_rand_prng_reset(&sctx); @@ -385,30 +385,30 @@ void FIPS_rand_reset(void) static int fips_do_rand_seed(const void *seed, int seedlen) { - FIPS_rand_seed(seed, seedlen); + FIPS_x931_seed(seed, seedlen); return 1; } static int fips_do_rand_add(const void *seed, int seedlen, double add_entropy) { - FIPS_rand_seed(seed, seedlen); + FIPS_x931_seed(seed, seedlen); return 1; } -static const RAND_METHOD rand_fips_meth= +static const RAND_METHOD rand_x931_meth= { fips_do_rand_seed, - FIPS_rand_bytes, - FIPS_rand_reset, + FIPS_x931_bytes, + FIPS_x931_reset, fips_do_rand_add, - FIPS_rand_bytes, - FIPS_rand_status + FIPS_x931_bytes, + FIPS_x931_status }; -const RAND_METHOD *FIPS_rand_method(void) +const RAND_METHOD *FIPS_x931_method(void) { - return &rand_fips_meth; + return &rand_x931_meth; } #endif diff --git a/fips/rand/fips_rand.h b/fips/rand/fips_rand.h index 18ca8acbfc7d2231d8a6101a0aa7acef119ac586..a691e14359e156887644a889102626d2e0aafbb3 100644 --- a/fips/rand/fips_rand.h +++ b/fips/rand/fips_rand.h @@ -58,17 +58,17 @@ extern "C" { #endif -int FIPS_rand_set_key(const unsigned char *key, int keylen); -int FIPS_rand_seed(const void *buf, int num); -int FIPS_rand_bytes(unsigned char *out, int outlen); +int FIPS_x931_set_key(const unsigned char *key, int keylen); +int FIPS_x931_seed(const void *buf, int num); +int FIPS_x931_bytes(unsigned char *out, int outlen); -int FIPS_rand_test_mode(void); -void FIPS_rand_reset(void); -int FIPS_rand_set_dt(unsigned char *dt); +int FIPS_x931_test_mode(void); +void FIPS_x931_reset(void); +int FIPS_x931_set_dt(unsigned char *dt); -int FIPS_rand_status(void); +int FIPS_x931_status(void); -const RAND_METHOD *FIPS_rand_method(void); +const RAND_METHOD *FIPS_x931_method(void); typedef struct drbg_ctx_st DRBG_CTX; diff --git a/fips/rand/fips_rand_selftest.c b/fips/rand/fips_rand_selftest.c index f352cc6cd785e6c2ab90b601f8d56d70e32ef171..ee5f320e0e2de239cf8287bcd2f4f7beb6e3ac9f 100644 --- a/fips/rand/fips_rand_selftest.c +++ b/fips/rand/fips_rand_selftest.c @@ -324,26 +324,26 @@ static AES_PRNG_TV aes_256_tv[] = { }; -void FIPS_corrupt_rng() +void FIPS_corrupt_x931() { aes_192_tv[0].V[0]++; } -#define fips_rand_test(key, tv) \ - do_rand_test(key, sizeof key, tv, sizeof(tv)/sizeof(AES_PRNG_TV)) +#define fips_x931_test(key, tv) \ + do_x931_test(key, sizeof key, tv, sizeof(tv)/sizeof(AES_PRNG_TV)) -static int do_rand_test(unsigned char *key, int keylen, +static int do_x931_test(unsigned char *key, int keylen, AES_PRNG_TV *tv, int ntv) { unsigned char R[16]; int i; - if (!FIPS_rand_set_key(key, keylen)) + if (!FIPS_x931_set_key(key, keylen)) return 0; for (i = 0; i < ntv; i++) { - FIPS_rand_seed(tv[i].V, 16); - FIPS_rand_set_dt(tv[i].DT); - FIPS_rand_bytes(R, 16); + FIPS_x931_seed(tv[i].V, 16); + FIPS_x931_set_dt(tv[i].DT); + FIPS_x931_bytes(R, 16); if (memcmp(R, tv[i].R, 16)) return 0; } @@ -351,22 +351,22 @@ static int do_rand_test(unsigned char *key, int keylen, } -int FIPS_selftest_rng() +int FIPS_selftest_x931() { - FIPS_rand_reset(); - if (!FIPS_rand_test_mode()) + FIPS_x931_reset(); + if (!FIPS_x931_test_mode()) { FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED); return 0; } - if (!fips_rand_test(aes_128_key,aes_128_tv) - || !fips_rand_test(aes_192_key, aes_192_tv) - || !fips_rand_test(aes_256_key, aes_256_tv)) + if (!fips_x931_test(aes_128_key,aes_128_tv) + || !fips_x931_test(aes_192_key, aes_192_tv) + || !fips_x931_test(aes_256_key, aes_256_tv)) { FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED); return 0; } - FIPS_rand_reset(); + FIPS_x931_reset(); return 1; } diff --git a/fips/rand/fips_randtest.c b/fips/rand/fips_randtest.c index 3465bc3029d61581b0722e6d115ab5ed8a3cf44f..77015658380cccd6a8300a71c965b8e3afd987fc 100644 --- a/fips/rand/fips_randtest.c +++ b/fips/rand/fips_randtest.c @@ -218,15 +218,15 @@ static void run_test(unsigned char *key, int keylen, AES_PRNG_MCT *tv) { unsigned char buf[16], dt[16]; int i, j; - FIPS_rand_reset(); - FIPS_rand_test_mode(); - FIPS_rand_set_key(key, keylen); - FIPS_rand_seed(tv->V, 16); + FIPS_x931_reset(); + FIPS_x931_test_mode(); + FIPS_x931_set_key(key, keylen); + FIPS_x931_seed(tv->V, 16); memcpy(dt, tv->DT, 16); for (i = 0; i < 10000; i++) { - FIPS_rand_set_dt(dt); - FIPS_rand_bytes(buf, 16); + FIPS_x931_set_dt(dt); + FIPS_x931_bytes(buf, 16); /* Increment DT */ for (j = 15; j >= 0; j--) { diff --git a/fips/rand/fips_rngvs.c b/fips/rand/fips_rngvs.c index f858b6d2e926eaaf046b4c6c25f178939723875d..ac0a526573d447534af576905432f75d5b62ca1a 100644 --- a/fips/rand/fips_rngvs.c +++ b/fips/rand/fips_rngvs.c @@ -90,10 +90,10 @@ static void vst(FILE *in, FILE *out) return; } - FIPS_rand_set_key(key, keylen); - FIPS_rand_seed(v,16); - FIPS_rand_set_dt(dt); - if (FIPS_rand_bytes(ret,16) <= 0) + FIPS_x931_set_key(key, keylen); + FIPS_x931_seed(v,16); + FIPS_x931_set_dt(dt); + if (FIPS_x931_bytes(ret,16) <= 0) { fprintf(stderr, "Error getting PRNG value\n"); return; @@ -168,12 +168,12 @@ static void mct(FILE *in, FILE *out) return; } - FIPS_rand_set_key(key, keylen); - FIPS_rand_seed(v,16); + FIPS_x931_set_key(key, keylen); + FIPS_x931_seed(v,16); for (i = 0; i < 10000; i++) { - FIPS_rand_set_dt(dt); - if (FIPS_rand_bytes(ret,16) <= 0) + FIPS_x931_set_dt(dt); + if (FIPS_x931_bytes(ret,16) <= 0) { fprintf(stderr, "Error getting PRNG value\n"); return; @@ -227,8 +227,8 @@ int main(int argc,char **argv) exit(1); } fips_algtest_init(); - FIPS_rand_reset(); - if (!FIPS_rand_test_mode()) + FIPS_x931_reset(); + if (!FIPS_x931_test_mode()) { fprintf(stderr, "Error setting PRNG test mode\n"); exit(1);