Reseeding without derivation function is not supported in FIPS mode.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8648)

crypto/err/openssl.txt

@@ -1103,6 +1103,7 @@ PROP_F_PARSE_OCT:105:parse_oct
 PROP_F_PARSE_STRING:106:parse_string
 PROP_F_PARSE_UNQUOTED:107:parse_unquoted
 RAND_F_DRBG_BYTES:101:drbg_bytes
+RAND_F_DRBG_CTR_INIT:125:drbg_ctr_init
 RAND_F_DRBG_GET_ENTROPY:105:drbg_get_entropy
 RAND_F_DRBG_SETUP:117:drbg_setup
 RAND_F_GET_ENTROPY:106:get_entropy
@@ -2607,6 +2608,8 @@ RAND_R_ADDITIONAL_INPUT_TOO_LONG:102:additional input too long
 RAND_R_ALREADY_INSTANTIATED:103:already instantiated
 RAND_R_ARGUMENT_OUT_OF_RANGE:105:argument out of range
 RAND_R_CANNOT_OPEN_FILE:121:Cannot open file
+RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS:137:\
+	derivation function mandatory for fips
 RAND_R_DRBG_ALREADY_INITIALIZED:129:drbg already initialized
 RAND_R_DRBG_NOT_INITIALISED:104:drbg not initialised
 RAND_R_ENTROPY_INPUT_TOO_LONG:106:entropy input too long

crypto/rand/drbg_ctr.c

@@ -422,6 +422,11 @@ int drbg_ctr_init(RAND_DRBG *drbg)
         drbg->max_perslen = DRBG_MAX_LENGTH;
         drbg->max_adinlen = DRBG_MAX_LENGTH;
     } else {
+#ifdef FIPS_MODE
+        RANDerr(RAND_F_DRBG_CTR_INIT,
+                RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS);
+        return 0;
+#else
         drbg->min_entropylen = drbg->seedlen;
         drbg->max_entropylen = drbg->seedlen;
         /* Nonce not used */
@@ -429,6 +434,7 @@ int drbg_ctr_init(RAND_DRBG *drbg)
         drbg->max_noncelen = 0;
         drbg->max_perslen = drbg->seedlen;
         drbg->max_adinlen = drbg->seedlen;
+#endif
     }
 
     drbg->max_request = 1 << 16;

crypto/rand/rand_err.c

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -15,6 +15,7 @@
 
 static const ERR_STRING_DATA RAND_str_functs[] = {
     {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_BYTES, 0), "drbg_bytes"},
+    {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_CTR_INIT, 0), "drbg_ctr_init"},
     {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_GET_ENTROPY, 0), "drbg_get_entropy"},
     {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_SETUP, 0), "drbg_setup"},
     {ERR_PACK(ERR_LIB_RAND, RAND_F_GET_ENTROPY, 0), "get_entropy"},
@@ -60,6 +61,8 @@ static const ERR_STRING_DATA RAND_str_reasons[] = {
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ARGUMENT_OUT_OF_RANGE),
     "argument out of range"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_CANNOT_OPEN_FILE), "Cannot open file"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS),
+    "derivation function mandatory for fips"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_DRBG_ALREADY_INITIALIZED),
     "drbg already initialized"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_DRBG_NOT_INITIALISED),

include/openssl/randerr.h

@@ -24,6 +24,7 @@ int ERR_load_RAND_strings(void);
  * RAND function codes.
  */
 # define RAND_F_DRBG_BYTES                                101
+# define RAND_F_DRBG_CTR_INIT                             125
 # define RAND_F_DRBG_GET_ENTROPY                          105
 # define RAND_F_DRBG_SETUP                                117
 # define RAND_F_GET_ENTROPY                               106
@@ -56,6 +57,7 @@ int ERR_load_RAND_strings(void);
 # define RAND_R_ALREADY_INSTANTIATED                      103
 # define RAND_R_ARGUMENT_OUT_OF_RANGE                     105
 # define RAND_R_CANNOT_OPEN_FILE                          121
+# define RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS    137
 # define RAND_R_DRBG_ALREADY_INITIALIZED                  129
 # define RAND_R_DRBG_NOT_INITIALISED                      104
 # define RAND_R_ENTROPY_INPUT_TOO_LONG                    106

test/drbg_cavs_test.c

@@ -254,6 +254,11 @@ static int test_cavs_kats(const struct drbg_kat *test[], int i)
     const struct drbg_kat *td = test[i];
     int rv = 0;
 
+#ifdef FIPS_MODE
+    /* FIPS mode doesn't support instantiating without a derivation function */
+    if ((td->flags & USE_DF) == 0)
+        return 1;
+#endif
     switch (td->type) {
     case NO_RESEED:
         if (!single_kat_no_reseed(td))

test/drbgtest.c

@@ -104,9 +104,12 @@ typedef struct drbg_selftest_data_st {
     make_drbg_test_data(nid, 0, pr, p)
 
 static DRBG_SELFTEST_DATA drbg_test[] = {
+#ifndef FIPS_MODE
+    /* FIPS mode doesn't support CTR DRBG without a derivation function */
     make_drbg_test_data_no_df (NID_aes_128_ctr, aes_128_no_df,  0),
     make_drbg_test_data_no_df (NID_aes_192_ctr, aes_192_no_df,  0),
     make_drbg_test_data_no_df (NID_aes_256_ctr, aes_256_no_df,  1),
+#endif
     make_drbg_test_data_use_df(NID_aes_128_ctr, aes_128_use_df, 0),
     make_drbg_test_data_use_df(NID_aes_192_ctr, aes_192_use_df, 0),
     make_drbg_test_data_use_df(NID_aes_256_ctr, aes_256_use_df, 1),
@@ -1107,6 +1110,8 @@ static int test_set_defaults(void)
            && TEST_int_eq(public->type, NID_sha256)
            && TEST_int_eq(public->flags, RAND_DRBG_FLAG_PUBLIC)
 
+          /* FIPS mode doesn't support CTR DRBG without a derivation function */
+#ifndef FIPS_MODE
           /* Change DRBG defaults and change master and check again */
            && TEST_true(RAND_DRBG_set_defaults(NID_aes_256_ctr,
                                                RAND_DRBG_FLAG_CTR_NO_DF))
@@ -1114,7 +1119,7 @@ static int test_set_defaults(void)
            && TEST_int_eq(master->type, NID_aes_256_ctr)
            && TEST_int_eq(master->flags,
                           RAND_DRBG_FLAG_MASTER|RAND_DRBG_FLAG_CTR_NO_DF)
-
+#endif
            /* Reset back to the standard defaults */
            && TEST_true(RAND_DRBG_set_defaults(RAND_DRBG_TYPE,
                                                RAND_DRBG_FLAGS