File nss-CC-drbg_continuous_selftests.patch of Package mozilla-nss.972

# HG changeset patch
# Parent 7067ca1e149e91d4254229728c761749061346ab
# Parent  4decb47aec1db5d34b42ea94f41c91957c2ab71a
CC/FIPS changes to the DRBG - testing of previous vs. current (to be returned)
pseudorandom data

diff --git a/lib/freebl/drbg.c b/lib/freebl/drbg.c
--- a/lib/freebl/drbg.c
+++ b/lib/freebl/drbg.c
@@ -71,37 +71,40 @@ struct RNGContextStr {
      * immediately after V_type to avoid extra copies. To accomplish this
      * in a way that compiliers can't perturb, we declare V_type and V
      * as a V_Data array and reference them by macros */
     PRUint8  V_Data[PRNG_SEEDLEN+1]; /* internal state variables */
 #define  V_type  V_Data[0]
 #define  V(rng)       (((rng)->V_Data)+1)
 #define  VSize(rng)   ((sizeof (rng)->V_Data) -1)
     PRUint8  C[PRNG_SEEDLEN];        /* internal state variables */
-    PRUint8  oldV[PRNG_SEEDLEN];     /* for continuous rng checking */
     /* If we get calls for the PRNG to return less than the length of our
      * hash, we extend the request for a full hash (since we'll be doing
      * the full hash anyway). Future requests for random numbers are fulfilled
      * from the remainder of the bytes we generated. Requests for bytes longer
      * than the hash size are fulfilled directly from the HashGen function
      * of the random number generator. */
     PRUint8  reseed_counter[RESEED_BYTE+1]; /* number of requests since the 
 					     * last reseed. Need only be
 					     * big enough to hold the whole
 					     * reseed count */
     PRUint8  data[SHA256_LENGTH];	/* when we request less than a block
 					 * save the rest of the rng output for 
 					 * another partial block */
+    PRUint8  prev_blk[SHA256_LENGTH];  /* for continuous rng checking */
     PRUint8  dataAvail;            /* # bytes of output available in our cache,
 	                            * [0...SHA256_LENGTH] */
     /* store additional data that has been shovelled off to us by
      * RNG_RandomUpdate. */
     PRUint8  additionalDataCache[PRNG_ADDITONAL_DATA_CACHE_SIZE];
     PRUint32 additionalAvail;
     PRBool   isValid;          /* false if RNG reaches an invalid state */
+    PRBool   isReady;          /* false if prev_blk has not yet been set to the
+                                * first generated random block, which is used
+                                * solely for continuous testing */
 };
 
 typedef struct RNGContextStr RNGContext;
 static RNGContext *globalrng = NULL;
 static RNGContext theGlobalRng;
 
 
 /*
@@ -158,16 +161,17 @@ static SECStatus
 prng_instantiate(RNGContext *rng, const PRUint8 *bytes, unsigned int len)
 {
     if (len < PRNG_SEEDLEN) {
 	/* if the seedlen is to small, it's probably because we failed to get
 	 * enough random data */
 	PORT_SetError(SEC_ERROR_NEED_RANDOM);
 	return SECFailure;
     }
+    rng->isReady = PR_FALSE;
     prng_Hash_df(V(rng), VSize(rng), bytes, len, NULL, 0);
     rng->V_type = prngCGenerateType;
     prng_Hash_df(rng->C,sizeof rng->C,rng->V_Data,sizeof rng->V_Data,NULL,0);
     PRNG_RESET_RESEED_COUNT(rng)
     return SECSuccess;
 }
     
 
@@ -275,50 +279,93 @@ prng_reseed_test(RNGContext *rng, const 
  *
  * This function is specified in NIST SP 800-90 section 10.1.1.4, Hashgen
  */
 static void
 prng_Hashgen(RNGContext *rng, PRUint8 *returned_bytes, 
 	     unsigned int no_of_returned_bytes)
 {
     PRUint8 data[VSize(rng)];
+    PRUint8 buf[SHA256_LENGTH];
+    PRUint8 *random_bytes;
+    PRUint8 *previous_round;
+
+    /* PRNG has to be initialized first - this is done by requesting
+     * SHA256_LENGTH random bytes from prng_generateNewBytes and throwing
+     * away the random bits returned as is done in rng_init() */
+    if (!rng->isReady) {
+	rng->isValid = PR_FALSE;
+	return;
+    }
 
     PORT_Memcpy(data, V(rng), VSize(rng));
+    previous_round = rng->prev_blk;
     while (no_of_returned_bytes) {
 	SHA256Context ctx;
 	unsigned int len;
 	unsigned int carry;
 	int k1;
 
+	if (no_of_returned_bytes < SHA256_LENGTH) {
+	/* output might be too small to hold whole prng block which has to be
+	 * generated for the continuous test */
+	    random_bytes = buf;
+	} else {
+	    random_bytes = returned_bytes;
+	}
+
  	SHA256_Begin(&ctx);
  	SHA256_Update(&ctx, data, sizeof data);
-	SHA256_End(&ctx, returned_bytes, &len, no_of_returned_bytes);
+	SHA256_End(&ctx, random_bytes, &len, SHA256_LENGTH);
+	
+	/* FIPS continuous PRNG check */
+	if (memcmp(random_bytes, previous_round, SHA256_LENGTH) == 0) {
+	    rng->isValid = PR_FALSE;
+	    goto cleanup;
+	}
+
+	if (no_of_returned_bytes < SHA256_LENGTH) {
+	    /* random_bytes is now actually buf - copy what fits into output;
+	     * getting here also means that we reached the last iteration of
+	     * the loop thus we won't need to do any more updates to the hash
+	     * context. */
+	    PORT_Memcpy(returned_bytes, random_bytes, no_of_returned_bytes);
+	    break;
+	}
+
+	previous_round = random_bytes;
 	returned_bytes += len;
 	no_of_returned_bytes -= len;
 	/* The carry parameter is a bool (increment or not). 
 	 * This increments data if no_of_returned_bytes is not zero */
 	PRNG_ADD_CARRY_ONLY(data, (sizeof data)- 1, no_of_returned_bytes);
     }
+    /* save last block for later comparisons */
+    PORT_Memcpy(rng->prev_blk, random_bytes, SHA256_LENGTH);
+
+cleanup:
     PORT_Memset(data, 0, sizeof data); 
+    PORT_Memset(buf, 0, sizeof buf); 
 }
 
 /* 
  * Generates new random bytes and advances the internal prng state.	
  * additional bytes are only used in algorithm testing.
  * 
  * This function is specified in NIST SP 800-90 section 10.1.1.4
  */
 static SECStatus
 prng_generateNewBytes(RNGContext *rng, 
 		PRUint8 *returned_bytes, unsigned int no_of_returned_bytes,
 		const PRUint8 *additional_input,
 		unsigned int additional_input_len)
 {
     PRUint8 H[SHA256_LENGTH]; /* both H and w since they 
 			       * aren't used concurrently */
+    SECStatus rv = SECSuccess;
     unsigned int carry;
     int k1, k2;
 
     if (!rng->isValid) {
 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	return SECFailure;
     }
     /* This code only triggers during tests, normal
@@ -339,36 +386,49 @@ prng_generateNewBytes(RNGContext *rng,
 	PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), w, sizeof w)
 	PORT_Memset(w, 0, sizeof w);
 #undef w 
     }
 
     if (no_of_returned_bytes == SHA256_LENGTH) {
 	/* short_cut to hashbuf and save a copy and a clear */
 	SHA256_HashBuf(returned_bytes, V(rng), VSize(rng) );
+	/* FIPS continuous PRNG check */
+	if (memcmp(returned_bytes, rng->prev_blk, sizeof rng->prev_blk) == 0) {
+	    /* The check is irrelevant until prev_blk is populated which
+	     * happens in rng_init by running through this branch.
+	     * Note that we are here relying on initialisation being done
+	     * properly by some wrapper function! */
+	    rng->isValid = (rng->isReady) ? PR_FALSE : PR_TRUE;
+	}
+    	PORT_Memcpy(rng->prev_blk, returned_bytes, sizeof rng->prev_blk);
     } else {
+	/* prng_Hashgen implements the continuous check on its own */
     	prng_Hashgen(rng, returned_bytes, no_of_returned_bytes);
     }
     /* advance our internal state... */
     rng->V_type = prngGenerateByteType;
     SHA256_HashBuf(H, rng->V_Data, sizeof rng->V_Data);
     PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), H, sizeof H)
     PRNG_ADD_BITS(V(rng), VSize(rng), rng->C, sizeof rng->C);
     PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), rng->reseed_counter, 
 					sizeof rng->reseed_counter)
     PRNG_ADD_CARRY_ONLY(rng->reseed_counter,(sizeof rng->reseed_counter)-1, 1);
 
-    /* continuous rng check */
-    if (memcmp(V(rng), rng->oldV, sizeof rng->oldV) == 0) {
-	rng->isValid = PR_FALSE;
+    /* continuous rng check result handling */
+    if (!rng->isValid) {
+	/* zero the whole DRBG - some recent crypto data might be based on
+	 * previous values and there's no reason to leave it hanging around
+	 */
+	PORT_Memset(rng, 0, sizeof(*rng));
 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
+	rv = SECFailure;
     }
-    PORT_Memcpy(rng->oldV, V(rng), sizeof rng->oldV);
-    return SECSuccess;
+    PORT_Memset(H, 0, sizeof(H));
+    return rv;
 }
 
 /* Use NSPR to prevent RNG_RNGInit from being called from separate
  * threads, creating a race condition.
  */
 static const PRCallOnceType pristineCallOnce;
 static PRCallOnceType coRNGInit;
 static PRStatus rng_init(void)
@@ -416,16 +476,17 @@ static PRStatus rng_init(void)
 	    return PR_FAILURE;
 	}
 	/* the RNG is in a valid state */
 	globalrng->isValid = PR_TRUE;
 
 	/* fetch one random value so that we can populate rng->oldV for our
 	 * continous random number test. */
 	prng_generateNewBytes(globalrng, bytes, SHA256_LENGTH, NULL, 0);
+	globalrng->isReady = PR_TRUE;
 
 	/* Fetch more entropy into the PRNG */
 	RNG_SystemInfoForRNG();
     }
     return PR_SUCCESS;
 }
 
 /*
@@ -698,16 +759,21 @@ PRNGTEST_Instantiate(const PRUint8 *entr
 	PORT_Assert(ps_len == 0);
    }
    rv = prng_instantiate(&testContext, bytes, bytes_len);
    PORT_ZFree(bytes, bytes_len);
    if (rv == SECFailure) {
 	return SECFailure;
    }
    testContext.isValid = PR_TRUE;
+   /* test PRNG is not initialised in the same way as globalrng, so mark it
+    * as ready to prevent problems when PRNGTEST_RunHealthTests() is called
+    * as part of globalrng update and the validity/readiness tests intended
+    * for globalrng fail on the test one */
+   testContext.isReady = PR_TRUE;
    return SECSuccess;
 }
 
 SECStatus
 PRNGTEST_Reseed(const PRUint8 *entropy, unsigned int entropy_len, 
 		  const PRUint8 *additional, unsigned int additional_len)
 {
     if (!testContext.isValid) {