isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone
Blob Blame History Raw
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c
--- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest	2020-04-23 13:33:12.500624151 +0200
+++ openssl-1.1.1g/crypto/fips/fips_post.c	2020-04-23 13:33:12.618621925 +0200
@@ -67,12 +67,18 @@
 
 # include <openssl/fips.h>
 # include "crypto/fips.h"
+# include "crypto/rand.h"
 # include "fips_locl.h"
 
 /* Run all selftests */
 int FIPS_selftest(void)
 {
     int rv = 1;
+    if (!rand_drbg_selftest()) {
+        FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_TEST_FAILURE);
+        ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
+        rv = 0;
+    }
     if (!FIPS_selftest_drbg())
         rv = 0;
     if (!FIPS_selftest_sha1())
diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info
--- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest	2020-04-23 13:33:12.619621907 +0200
+++ openssl-1.1.1g/crypto/rand/build.info	2020-04-23 13:34:10.857523497 +0200
@@ -1,6 +1,6 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]=\
         randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
-        rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
+        rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c
 
 INCLUDE[drbg_ctr.o]=../modes
diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c
--- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest	2020-04-23 13:33:12.619621907 +0200
+++ openssl-1.1.1g/crypto/rand/drbg_selftest.c	2020-04-23 13:33:12.619621907 +0200
@@ -0,0 +1,537 @@
+/*
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <stddef.h>
+#include "internal/nelem.h"
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand_drbg.h>
+#include <openssl/obj_mac.h>
+#include "internal/thread_once.h"
+#include "crypto/rand.h"
+
+typedef struct test_ctx_st {
+    const unsigned char *entropy;
+    size_t entropylen;
+    int entropycnt;
+    const unsigned char *nonce;
+    size_t noncelen;
+    int noncecnt;
+} TEST_CTX;
+
+static int app_data_index = -1;
+static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT;
+DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init)
+{
+    app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
+
+    return 1;
+}
+
+enum drbg_kat_type {
+    NO_RESEED,
+    PR_FALSE,
+    PR_TRUE
+};
+
+enum drbg_df {
+    USE_DF,
+    NO_DF,
+    NA
+};
+
+struct drbg_kat_no_reseed {
+    size_t count;
+    const unsigned char *entropyin;
+    const unsigned char *nonce;
+    const unsigned char *persstr;
+    const unsigned char *addin1;
+    const unsigned char *addin2;
+    const unsigned char *retbytes;
+};
+
+struct drbg_kat_pr_false {
+    size_t count;
+    const unsigned char *entropyin;
+    const unsigned char *nonce;
+    const unsigned char *persstr;
+    const unsigned char *entropyinreseed;
+    const unsigned char *addinreseed;
+    const unsigned char *addin1;
+    const unsigned char *addin2;
+    const unsigned char *retbytes;
+};
+
+struct drbg_kat_pr_true {
+    size_t count;
+    const unsigned char *entropyin;
+    const unsigned char *nonce;
+    const unsigned char *persstr;
+    const unsigned char *entropyinpr1;
+    const unsigned char *addin1;
+    const unsigned char *entropyinpr2;
+    const unsigned char *addin2;
+    const unsigned char *retbytes;
+};
+
+struct drbg_kat {
+    enum drbg_kat_type type;
+    enum drbg_df df;
+    int nid;
+
+    size_t entropyinlen;
+    size_t noncelen;
+    size_t persstrlen;
+    size_t addinlen;
+    size_t retbyteslen;
+
+    const void *t;
+};
+
+/*
+ * Excerpt from test/drbg_cavs_data.c
+ * DRBG test vectors from:
+ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/
+ */
+
+static const unsigned char kat1308_entropyin[] = {
+    0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c,
+    0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7,
+    0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97,
+    0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52,
+};
+static const unsigned char kat1308_nonce[] = {0};
+static const unsigned char kat1308_persstr[] = {
+    0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2,
+    0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39,
+    0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45,
+    0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3,
+};
+static const unsigned char kat1308_addin0[] = {
+    0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e,
+    0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a,
+    0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a,
+    0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c,
+};
+static const unsigned char kat1308_addin1[] = {
+    0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19,
+    0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a,
+    0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e,
+    0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4,
+};
+static const unsigned char kat1308_retbits[] = {
+    0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2,
+    0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92,
+    0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f,
+    0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63,
+    0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53,
+    0x26, 0x32, 0xd0, 0xb8,
+};
+static const struct drbg_kat_no_reseed kat1308_t = {
+    2, kat1308_entropyin, kat1308_nonce, kat1308_persstr,
+    kat1308_addin0, kat1308_addin1, kat1308_retbits
+};
+static const struct drbg_kat kat1308 = {
+    NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t
+};
+
+static const unsigned char kat1465_entropyin[] = {
+    0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64,
+    0x87, 0xbe, 0xaa, 0xc0,
+};
+static const unsigned char kat1465_nonce[] = {
+    0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85,
+};
+static const unsigned char kat1465_persstr[] = {0};
+static const unsigned char kat1465_entropyinreseed[] = {
+    0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5,
+    0x1f, 0x4b, 0x7b, 0x51,
+};
+static const unsigned char kat1465_addinreseed[] = {
+    0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12,
+    0x61, 0x9f, 0x26, 0x5f,
+};
+static const unsigned char kat1465_addin0[] = {
+    0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6,
+    0x10, 0x5a, 0x73, 0x9c,
+};
+static const unsigned char kat1465_addin1[] = {
+    0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18,
+    0x47, 0x99, 0x1f, 0xeb,
+};
+static const unsigned char kat1465_retbits[] = {
+    0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d,
+    0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb,
+    0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52,
+    0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e,
+    0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41,
+    0x58, 0xdb, 0x27, 0xba,
+};
+static const struct drbg_kat_pr_false kat1465_t = {
+    9, kat1465_entropyin, kat1465_nonce, kat1465_persstr,
+    kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0,
+    kat1465_addin1, kat1465_retbits
+};
+static const struct drbg_kat kat1465 = {
+    PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t
+};
+
+static const unsigned char kat3146_entropyin[] = {
+    0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3,
+    0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4,
+};
+static const unsigned char kat3146_nonce[] = {
+    0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3,
+    0x50, 0x86, 0xca, 0xca,
+};
+static const unsigned char kat3146_persstr[] = {0};
+static const unsigned char kat3146_entropyinpr1[] = {
+    0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda,
+    0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15,
+};
+static const unsigned char kat3146_addinpr1[] = {
+    0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1,
+    0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90,
+    0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99,
+};
+static const unsigned char kat3146_entropyinpr2[] = {
+    0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7,
+    0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34,
+};
+static const unsigned char kat3146_addinpr2[] = {
+    0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c,
+    0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3,
+    0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6,
+};
+static const unsigned char kat3146_retbits[] = {
+    0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f,
+    0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28,
+    0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76,
+    0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87,
+    0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45,
+    0xd4, 0x30, 0x73, 0xbb,
+};
+static const struct drbg_kat_pr_true kat3146_t = {
+    10, kat3146_entropyin, kat3146_nonce, kat3146_persstr,
+    kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2,
+    kat3146_addinpr2, kat3146_retbits
+};
+static const struct drbg_kat kat3146 = {
+    PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t
+};
+
+static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 };
+
+static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test);
+
+static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
+                          int entropy, size_t min_len, size_t max_len,
+                          int prediction_resistance)
+{
+    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
+
+    t->entropycnt++;
+    *pout = (unsigned char *)t->entropy;
+    return t->entropylen;
+}
+
+static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
+                        int entropy, size_t min_len, size_t max_len)
+{
+    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
+
+    t->noncecnt++;
+    *pout = (unsigned char *)t->nonce;
+    return t->noncelen;
+}
+
+/*
+ * Do a single NO_RESEED KAT:
+ *
+ * Instantiate
+ * Generate Random Bits (pr=false)
+ * Generate Random Bits (pr=false)
+ * Uninstantiate
+ *
+ * Return 0 on failure.
+ */
+static int single_kat_no_reseed(const struct drbg_kat *td)
+{
+    struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t;
+    RAND_DRBG *drbg = NULL;
+    unsigned char *buff = NULL;
+    unsigned int flags = 0;
+    int failures = 0;
+    TEST_CTX t;
+
+    if (td->df != USE_DF)
+        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
+
+    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
+        return 0;
+
+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+                                 kat_nonce, NULL)) {
+        failures++;
+        goto err;
+    }
+    memset(&t, 0, sizeof(t));
+    t.entropy = data->entropyin;
+    t.entropylen = td->entropyinlen;
+    t.nonce = data->nonce;
+    t.noncelen = td->noncelen;
+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
+
+    buff = OPENSSL_malloc(td->retbyteslen);
+    if (buff == NULL) {
+        failures++;
+        goto err;
+    }
+
+    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)
+        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
+                               data->addin1, td->addinlen)
+        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
+                               data->addin2, td->addinlen)
+        || memcmp(data->retbytes, buff,
+                  td->retbyteslen) != 0)
+        failures++;
+
+err:
+    OPENSSL_free(buff);
+    RAND_DRBG_uninstantiate(drbg);
+    RAND_DRBG_free(drbg);
+    return failures == 0;
+}
+
+/*-
+ * Do a single PR_FALSE KAT:
+ *
+ * Instantiate
+ * Reseed
+ * Generate Random Bits (pr=false)
+ * Generate Random Bits (pr=false)
+ * Uninstantiate
+ *
+ * Return 0 on failure.
+ */
+static int single_kat_pr_false(const struct drbg_kat *td)
+{
+    struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
+    RAND_DRBG *drbg = NULL;
+    unsigned char *buff = NULL;
+    unsigned int flags = 0;
+    int failures = 0;
+    TEST_CTX t;
+
+    if (td->df != USE_DF)
+        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
+
+    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
+        return 0;
+
+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+                                 kat_nonce, NULL)) {
+        failures++;
+        goto err;
+    }
+    memset(&t, 0, sizeof(t));
+    t.entropy = data->entropyin;
+    t.entropylen = td->entropyinlen;
+    t.nonce = data->nonce;
+    t.noncelen = td->noncelen;
+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
+
+    buff = OPENSSL_malloc(td->retbyteslen);
+    if (buff == NULL) {
+        failures++;
+        goto err;
+    }
+
+    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
+        failures++;
+
+    t.entropy = data->entropyinreseed;
+    t.entropylen = td->entropyinlen;
+
+    if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0)
+        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
+                               data->addin1, td->addinlen)
+        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
+                               data->addin2, td->addinlen)
+        || memcmp(data->retbytes, buff,
+                  td->retbyteslen) != 0)
+        failures++;
+
+err:
+    OPENSSL_free(buff);
+    RAND_DRBG_uninstantiate(drbg);
+    RAND_DRBG_free(drbg);
+    return failures == 0;
+}
+
+/*-
+ * Do a single PR_TRUE KAT:
+ *
+ * Instantiate
+ * Generate Random Bits (pr=true)
+ * Generate Random Bits (pr=true)
+ * Uninstantiate
+ *
+ * Return 0 on failure.
+ */
+static int single_kat_pr_true(const struct drbg_kat *td)
+{
+    struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t;
+    RAND_DRBG *drbg = NULL;
+    unsigned char *buff = NULL;
+    unsigned int flags = 0;
+    int failures = 0;
+    TEST_CTX t;
+
+    if (td->df != USE_DF)
+        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
+
+    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
+        return 0;
+
+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+                                 kat_nonce, NULL)) {
+        failures++;
+        goto err;
+    }
+    memset(&t, 0, sizeof(t));
+    t.nonce = data->nonce;
+    t.noncelen = td->noncelen;
+    t.entropy = data->entropyin;
+    t.entropylen = td->entropyinlen;
+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
+
+    buff = OPENSSL_malloc(td->retbyteslen);
+    if (buff == NULL) {
+        failures++;
+        goto err;
+    }
+
+    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
+        failures++;
+
+    t.entropy = data->entropyinpr1;
+    t.entropylen = td->entropyinlen;
+
+    if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
+                            data->addin1, td->addinlen))
+        failures++;
+
+    t.entropy = data->entropyinpr2;
+    t.entropylen = td->entropyinlen;
+
+    if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
+                            data->addin2, td->addinlen)
+        || memcmp(data->retbytes, buff,
+                  td->retbyteslen) != 0)
+        failures++;
+
+err:
+    OPENSSL_free(buff);
+    RAND_DRBG_uninstantiate(drbg);
+    RAND_DRBG_free(drbg);
+    return failures == 0;
+}
+
+static int test_kats(int i)
+{
+    const struct drbg_kat *td = drbg_test[i];
+    int rv = 0;
+
+    switch (td->type) {
+    case NO_RESEED:
+        if (!single_kat_no_reseed(td))
+            goto err;
+        break;
+    case PR_FALSE:
+        if (!single_kat_pr_false(td))
+            goto err;
+        break;
+    case PR_TRUE:
+        if (!single_kat_pr_true(td))
+            goto err;
+        break;
+    default:	/* cant happen */
+        goto err;
+    }
+    rv = 1;
+err:
+    return rv;
+}
+
+/*-
+ * Do one expected-error test:
+ *
+ * Instantiate with no entropy supplied
+ *
+ * Return 0 on failure.
+ */
+static int test_drbg_sanity(const struct drbg_kat *td)
+{
+    struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
+    RAND_DRBG *drbg = NULL;
+    unsigned int flags = 0;
+    int failures = 0;
+    TEST_CTX t;
+
+    if (td->df != USE_DF)
+        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
+
+    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
+        return 0;
+
+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+                                 kat_nonce, NULL)) {
+        failures++;
+        goto err;
+    }
+    memset(&t, 0, sizeof(t));
+    t.entropy = data->entropyin;
+    t.entropylen = 0;     /* No entropy */
+    t.nonce = data->nonce;
+    t.noncelen = td->noncelen;
+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
+
+    ERR_set_mark();
+    /* This must fail. */
+    if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
+        failures++;
+    RAND_DRBG_uninstantiate(drbg);
+    ERR_pop_to_mark();
+
+err:
+    RAND_DRBG_free(drbg);
+    return failures == 0;
+}
+
+
+int rand_drbg_selftest(void)
+{
+    int i;
+
+    if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init))
+        return 0;
+
+    for (i = 0; i < drbg_test_nelem; i++) {
+        if (test_kats(i) <= 0)
+            return 0;
+    }
+
+    if (test_drbg_sanity(&kat1465) <= 0)
+        return 0;
+
+    return 1;
+}
diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h
--- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest	2020-04-23 13:33:12.587622510 +0200
+++ openssl-1.1.1g/include/crypto/rand.h	2020-04-23 13:33:12.619621907 +0200
@@ -140,4 +140,9 @@ void rand_pool_cleanup(void);
  */
 void rand_pool_keep_random_devices_open(int keep);
 
+/*
+ * Perform the DRBG KAT selftests
+ */
+int rand_drbg_selftest(void);
+
 #endif