Add CTR-DRBG derivation function

[torben-hansen]

Description of changes:

IG D.L requires that the entropy argument has full-entropy. This won't happen using the passive method. Hence, implement a derivation function to compensate.

Derivation function is implemented a described in SP800-90A using a generation counter for the nonce. The nonce is then unique per process up to 2^128 life-time initializations.

The new ctr-drbg derivation function interface is not exported. Instead it's only used internally. I kept the existing ctr-drbg interface around in an attempt to make the change minimal. RAND_bytes() will continue to use the existing ctr-drbg implementation except if in FIPS and if not using the special CPU Jitter mode.

Call-outs:

All FIPS related tests are adjusted to use the new ctr-drbg derivation functions.

performance on Arm64

Now

$ ./tool/bssl speed -filter RNG
Did 1737000 RNG (16 bytes) operations in 1000437us (1736241.3 ops/sec): 27.8 MB/s
Did 1597500 RNG (256 bytes) operations in 1000066us (1597394.6 ops/sec): 408.9 MB/s
Did 1155250 RNG (1350 bytes) operations in 1000043us (1155200.3 ops/sec): 1559.5 MB/s
Did 445000 RNG (8192 bytes) operations in 1000808us (444640.7 ops/sec): 3642.5 MB/s
Did 254000 RNG (16384 bytes) operations in 1000784us (253801.0 ops/sec): 4158.3 MB/s

Before

$ ./tool/bssl speed -filter RNG
Did 4173250 RNG (16 bytes) operations in 1000045us (4173062.2 ops/sec): 66.8 MB/s
Did 3481750 RNG (256 bytes) operations in 1000064us (3481527.2 ops/sec): 891.3 MB/s
Did 1899000 RNG (1350 bytes) operations in 1000167us (1898682.9 ops/sec): 2563.2 MB/s
Did 524000 RNG (8192 bytes) operations in 1001596us (523165.0 ops/sec): 4285.8 MB/s
Did 278000 RNG (16384 bytes) operations in 1001963us (277455.4 ops/sec): 4545.8 MB/s

Testing:

Added lots of KATs for the new ctr-drbg with df interface.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 83.61582% with 29 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.48%. Comparing base (086b1b7) to head (0faafd0).

Files with missing lines	Patch %	Lines
crypto/fipsmodule/rand/ctrdrbg.c	82.26%	25 Missing ⚠️
crypto/fipsmodule/rand/ctrdrbg_test.cc	87.09%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@                 Coverage Diff                 @@
##           fips-2024-09-27    #2863      +/-   ##
===================================================
- Coverage            78.59%   78.48%   -0.11%     
===================================================
  Files                  585      585              
  Lines               101047   100260     -787     
  Branches             14311    14346      +35     
===================================================
- Hits                 79418    78691     -727     
+ Misses               20993    20930      -63     
- Partials               636      639       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[torben-hansen]

The CI on this FIPSv3 branch is quite out of date, so there are going to be a lot of failing jobs. I manually checked whether the failing ones are benign or not. All OK.

[WillChilds-Klein]

is this stuff from 8.7.1 or 8.7.2? if neither where is defined in the spec?

[torben-hansen]

You mean the naming or the algorithm? Sorry not sure I understand the question.

Algorithm is 10.2.1.4.2.

[WillChilds-Klein]

ah, unclear question on my part. i meant specifically additional_data and its length

[torben-hansen]

I see, the (maximum allowed) length is governed by Table 3: Definitions for the CTR_DRBG in SP800-90A. The upper bound is 2^32 bytes.

[torben-hansen]

Checked all failing dimensions. I believe they are due to outdated CI and unrelated to this change.