Closed
Bug 318966
Opened 19 years ago
Closed 19 years ago
Implement RNG algorithm tests for FIPS 140-2 validation
Categories
(NSS :: Test, enhancement, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.1
People
(Reporter: glenbeasley, Assigned: wtc)
Details
Attachments
(7 files, 2 obsolete files)
|
23.54 KB,
patch
|
Details | Diff | Splinter Review | |
|
1.04 KB,
text/plain
|
Details | |
|
1.31 KB,
text/plain
|
Details | |
|
1.15 KB,
text/plain
|
Details | |
|
1.34 KB,
text/plain
|
Details | |
|
9.96 KB,
patch
|
Details | Diff | Splinter Review | |
|
8.98 KB,
patch
|
Details | Diff | Splinter Review |
|
Reporter | |
Updated•19 years ago
|
Assignee: glen.beasley → wtchang
|
Assignee | |
Comment 1•19 years ago
|
||
The NIST RNG Validation System has two tests (Variable Seed Test and Monte Carlo Test), both of which require the ability to compute the RNG output from the specified values of XKey (the seed-key, or the "state" of the RNG) and XSeed (the seed, or the optional user input "entropy"). None of the RNG functions in the blapi.h API allow us to do that. Moreover, the existing RNG functions all operate on the RNG instance used by NSS (called the "global RNG" in the source code). So we need new blapi.h functions to implement the tests in the RNG Validation System. I first tried to create new RNG functions that create and operate on a RNGContext that's not necessarily the "global RNG". I went quite far, but I had problem initializing a RNGContext's state (rng->XKey) to a given value and getting the output computed from that, because FIPS 140-2 (as opposed to FIPS 186-2) requires that we discard the first block of output produced by the RNG. The only solution I could come up with is to add a new RNG function that sets an already running RNGContext's state (rng->XKey) to a given value, but such a function seems inelegant. In the end I abandoned this approach. In this patch, I added two low-level RNG functions. The first one, FIPS186_Xchange_Generate, implements the FIPS 186-2 Change Notice 1 Revised Algorithm 1 used as a generic purpose RNG (i.e., not for generating DSA's X parameter). (Unfortunately it still has one FIPS 140-2 requirement -- checking that XSeed != XKey -- which is hard to do outside this function.) The second function, FIPS186_Xchange_ReduceModQ, reduces the output of the generic purpose RNG mod Q to generate DSA's X parameter. A note on these functions' names: FIPS186_Xchange means this is the "DSA - Generation of X" algorithm (as opposed to the "DSA - Generation of K" algorithm) specified in FIPS 186-2 Change Notice 1 (as opposed to the original FIPS 186-2). I welcome suggestions for better names.
Attachment #209459 -
Flags: superreview?(nelson)
Attachment #209459 -
Flags: review?(rrelyea)
|
||
Comment 2•19 years ago
|
||
Adding reviewers to CC list.
|
|
Assignee | |
Comment 3•19 years ago
|
||
I'm attaching this patch here for reference only.
The RNG Validation System has sample input REQUEST
and output RESPONSE files for the FIPS 186-2 RNG.
However, the sample files require an RNG whose b
parameter is variable (160 <= b <= 512), and there
are only sample files for the original RNG algorithm
("Xorg"). In order to test our code using the sample
files, I had to make the changes in this patch.
The changes are:
- Add a 'bsize' parameter to FIPS186_Xchange_Generate.
- Add a FIPS186_Xorg_Generate function.|
|
Assignee | |
Comment 4•19 years ago
|
||
Comment on attachment 209488 [details] [diff] [review] (For reference only) allow a variable 'b' parameter and implement FIPS186 Xorg Note that for the "Xorg" algorithm ("DSA - Generation of X", original), the ReduceModQ function must be absorbed into the Generate function because "xj mod q" is needed to compute the new XKEY when we generate DSA parameter X.
|
|
Assignee | |
Comment 5•19 years ago
|
||
|
|
Assignee | |
Comment 6•19 years ago
|
||
|
|
Assignee | |
Comment 7•19 years ago
|
||
|
|
Assignee | |
Comment 8•19 years ago
|
||
|
|
Assignee | |
Comment 9•19 years ago
|
||
This patch implemented the RNG Variable Seed Test and Monte Carlo Test and added the script rng.sh to run the tests.
Attachment #209530 -
Flags: review?(glen.beasley)
|
|
Reporter | |
Updated•19 years ago
|
Attachment #209530 -
Flags: review?(glen.beasley) → review+
|
||
Comment 10•19 years ago
|
||
Comment on attachment 209459 [details] [diff] [review] Add two RNG functions to blapi.h for the NIST RNG Validation System r+ relyea
Attachment #209459 -
Flags: review?(rrelyea) → review+
|
|
||
Comment 11•19 years ago
|
||
Comment on attachment 209459 [details] [diff] [review] Add two RNG functions to blapi.h for the NIST RNG Validation System SR=nelson. Good clean work. I would like to suggest some alternatives to "Xchange" >+FIPS186_Xchange_Generate(unsigned char *XKEY, const unsigned char *XSEEDj, >+ unsigned char *x_j); Perhaps _XKEY_Generate, or Xj_Generate. >+FIPS186_Xchange_ReduceModQ(const unsigned char *w, const unsigned char *q, >+ unsigned char *xj); Perhaps _DSAX_ReduceModQ, or _XSeed_ReduceModQ.
Attachment #209459 -
Flags: superreview?(nelson) → superreview+
|
|
Assignee | |
Comment 12•19 years ago
|
||
I renamed the new functions FIPS186Change_GenerateX and FIPS186Change_ReduceModQForDSA (FIPS186Change is short for FIPS186-2 with Change Notice 1). I checked in the patch on the NSS trunk (3.12) and NSS_3_11_BRANCH (3.11.1). Checking in blapi.h; /cvsroot/mozilla/security/nss/lib/freebl/blapi.h,v <-- blapi.h new revision: 1.24; previous revision: 1.23 done Checking in ldvector.c; /cvsroot/mozilla/security/nss/lib/freebl/ldvector.c,v <-- ldvector.c new revision: 1.14; previous revision: 1.13 done Checking in loader.c; /cvsroot/mozilla/security/nss/lib/freebl/loader.c,v <-- loader.c new revision: 1.28; previous revision: 1.27 done Checking in loader.h; /cvsroot/mozilla/security/nss/lib/freebl/loader.h,v <-- loader.h new revision: 1.18; previous revision: 1.17 done Checking in prng_fips1861.c; /cvsroot/mozilla/security/nss/lib/freebl/prng_fips1861.c,v <-- prng_fips1861.c new revision: 1.23; previous revision: 1.22 done Checking in blapi.h; /cvsroot/mozilla/security/nss/lib/freebl/blapi.h,v <-- blapi.h new revision: 1.23.2.1; previous revision: 1.23 done Checking in ldvector.c; /cvsroot/mozilla/security/nss/lib/freebl/ldvector.c,v <-- ldvector.c new revision: 1.13.2.1; previous revision: 1.13 done Checking in loader.c; /cvsroot/mozilla/security/nss/lib/freebl/loader.c,v <-- loader.c new revision: 1.26.2.2; previous revision: 1.26.2.1 done Checking in loader.h; /cvsroot/mozilla/security/nss/lib/freebl/loader.h,v <-- loader.h new revision: 1.17.2.1; previous revision: 1.17 done Checking in prng_fips1861.c; /cvsroot/mozilla/security/nss/lib/freebl/prng_fips1861.c,v <-- prng_fips1861.c new revision: 1.22.2.1; previous revision: 1.22 done
Attachment #209459 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 13•19 years ago
|
||
Updated to use the new function names. I checked in this patch on the NSS trunk (3.12) and NSS_3_11_BRANCH (3.11.1). Checking in fipstest.c; /cvsroot/mozilla/security/nss/cmd/fipstest/fipstest.c,v <-- fipstest.c new revision: 1.20; previous revision: 1.19 done RCS file: /cvsroot/mozilla/security/nss/cmd/fipstest/rng.sh,v done Checking in rng.sh; /cvsroot/mozilla/security/nss/cmd/fipstest/rng.sh,v <-- rng.sh initial revision: 1.1 done Checking in fipstest.c; /cvsroot/mozilla/security/nss/cmd/fipstest/fipstest.c,v <-- fipstest.c new revision: 1.3.2.13; previous revision: 1.3.2.12 done Checking in rng.sh; /cvsroot/mozilla/security/nss/cmd/fipstest/rng.sh,v <-- rng.sh new revision: 1.1.2.2; previous revision: 1.1.2.1 done
Attachment #209530 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•19 years ago
|
Severity: normal → enhancement
Status: NEW → RESOLVED
Closed: 19 years ago
OS: Solaris → All
Priority: -- → P1
Hardware: Sun → All
Resolution: --- → FIXED
Version: 3.11.1 → 3.10
You need to log in
before you can comment on or make changes to this bug.
Description
•