[openssl-commits] [openssl] master update
Rich Salz
rsalz at openssl.org
Wed Jul 19 07:34:10 UTC 2017
The branch master has been updated
via 12fb8c3d2dd00f3d4f1b084385403d26ed64a596 (commit)
from 0299f3f790437d124d15f60489c774407325f82b (commit)
- Log -----------------------------------------------------------------
commit 12fb8c3d2dd00f3d4f1b084385403d26ed64a596
Author: Rich Salz <rsalz at openssl.org>
Date: Tue Jun 27 12:04:37 2017 -0400
Add DRBG random method
Ported from the last FIPS release, with DUAL_EC and SHA1 and the
self-tests removed. Since only AES-CTR is supported, other code
simplifications were done. Removed the "entropy blocklen" concept.
Moved internal functions to new include/internal/rand.h.
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3789)
-----------------------------------------------------------------------
Summary of changes:
crypto/err/openssl.txt | 35 ++-
crypto/rand/build.info | 2 +-
crypto/rand/drbg_lib.c | 349 ++++++++++++++++++++++++++
crypto/rand/drbg_rand.c | 449 ++++++++++++++++++++++++++++++++++
crypto/rand/ossl_rand.c | 52 ++--
crypto/rand/rand_err.c | 38 +++
crypto/rand/rand_lcl.h | 86 ++++++-
crypto/rand/rand_lib.c | 1 +
include/internal/rand.h | 50 ++++
include/openssl/crypto.h | 3 +-
include/openssl/ossl_typ.h | 1 +
include/openssl/rand.h | 19 +-
include/openssl/randerr.h | 35 ++-
test/build.info | 7 +-
test/drbgtest.c | 490 +++++++++++++++++++++++++++++++++++++
test/drbgtest.h | 579 ++++++++++++++++++++++++++++++++++++++++++++
test/recipes/05-test_rand.t | 9 +-
util/libcrypto.num | 13 +
util/mkdef.pl | 1 +
19 files changed, 2165 insertions(+), 54 deletions(-)
create mode 100644 crypto/rand/drbg_lib.c
create mode 100644 crypto/rand/drbg_rand.c
create mode 100644 include/internal/rand.h
create mode 100644 test/drbgtest.c
create mode 100644 test/drbgtest.h
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index f842870..d8fcb9a 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -860,9 +860,17 @@ PKCS7_F_PKCS7_SIGNER_INFO_SIGN:139:PKCS7_SIGNER_INFO_sign
PKCS7_F_PKCS7_SIGN_ADD_SIGNER:137:PKCS7_sign_add_signer
PKCS7_F_PKCS7_SIMPLE_SMIMECAP:119:PKCS7_simple_smimecap
PKCS7_F_PKCS7_VERIFY:117:PKCS7_verify
+RAND_F_DRBG_BYTES:101:drbg_bytes
+RAND_F_DRBG_GET_ENTROPY:105:drbg_get_entropy
+RAND_F_GET_ENTROPY:106:get_entropy
RAND_F_RAND_BYTES:100:RAND_bytes
-RAND_F_RAND_LOAD_FILE:101:RAND_load_file
-RAND_F_RAND_WRITE_FILE:102:RAND_write_file
+RAND_F_RAND_DRBG_GENERATE:107:RAND_DRBG_generate
+RAND_F_RAND_DRBG_INSTANTIATE:108:RAND_DRBG_instantiate
+RAND_F_RAND_DRBG_NEW:109:RAND_DRBG_new
+RAND_F_RAND_DRBG_RESEED:110:RAND_DRBG_reseed
+RAND_F_RAND_DRBG_SET:104:RAND_DRBG_set
+RAND_F_RAND_LOAD_FILE:111:RAND_load_file
+RAND_F_RAND_WRITE_FILE:112:RAND_write_file
RSA_F_CHECK_PADDING_MD:140:check_padding_md
RSA_F_ENCODE_PKCS1:146:encode_pkcs1
RSA_F_INT_RSA_VERIFY:145:int_rsa_verify
@@ -2098,11 +2106,28 @@ PKCS7_R_UNSUPPORTED_CIPHER_TYPE:111:unsupported cipher type
PKCS7_R_UNSUPPORTED_CONTENT_TYPE:112:unsupported content type
PKCS7_R_WRONG_CONTENT_TYPE:113:wrong content type
PKCS7_R_WRONG_PKCS7_TYPE:114:wrong pkcs7 type
-RAND_R_CANNOT_OPEN_FILE:102:Cannot open file
+RAND_R_ADDITIONAL_INPUT_TOO_LONG:102:additional input too long
+RAND_R_ALREADY_INSTANTIATED:103:already instantiated
+RAND_R_CANNOT_OPEN_FILE:121:Cannot open file
+RAND_R_DRBG_NOT_INITIALISED:104:drbg not initialised
+RAND_R_ERROR_INITIALISING_DRBG:107:error initialising drbg
+RAND_R_ERROR_INSTANTIATING_DRBG:108:error instantiating drbg
+RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT:109:error retrieving additional input
+RAND_R_ERROR_RETRIEVING_ENTROPY:110:error retrieving entropy
+RAND_R_ERROR_RETRIEVING_NONCE:111:error retrieving nonce
RAND_R_FUNC_NOT_IMPLEMENTED:101:Function not implemented
-RAND_R_FWRITE_ERROR:103:Error writing file
-RAND_R_NOT_A_REGULAR_FILE:104:Not a regular file
+RAND_R_FWRITE_ERROR:123:Error writing file
+RAND_R_GENERATE_ERROR:112:generate error
+RAND_R_INTERNAL_ERROR:113:internal error
+RAND_R_IN_ERROR_STATE:114:in error state
+RAND_R_NOT_A_REGULAR_FILE:122:Not a regular file
+RAND_R_NOT_INSTANTIATED:115:not instantiated
+RAND_R_PERSONALISATION_STRING_TOO_LONG:116:personalisation string too long
RAND_R_PRNG_NOT_SEEDED:100:PRNG not seeded
+RAND_R_REQUEST_TOO_LARGE_FOR_DRBG:117:request too large for drbg
+RAND_R_RESEED_ERROR:118:reseed error
+RAND_R_SELFTEST_FAILURE:119:selftest failure
+RAND_R_UNSUPPORTED_DRBG_TYPE:120:unsupported drbg type
RSA_R_ALGORITHM_MISMATCH:100:algorithm mismatch
RSA_R_BAD_E_VALUE:101:bad e value
RSA_R_BAD_FIXED_HEADER_DECRYPT:102:bad fixed header decrypt
diff --git a/crypto/rand/build.info b/crypto/rand/build.info
index 9e0a90b..f011d78 100644
--- a/crypto/rand/build.info
+++ b/crypto/rand/build.info
@@ -1,4 +1,4 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
ossl_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c \
- rand_win.c rand_unix.c rand_vms.c
+ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_rand.c
diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c
new file mode 100644
index 0000000..b9161ab
--- /dev/null
+++ b/crypto/rand/drbg_lib.c
@@ -0,0 +1,349 @@
+/*
+ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include "rand_lcl.h"
+
+/*
+ * Support framework for NIST SP 800-90A DRBG, AES-CTR mode.
+ */
+
+/*
+ * Get entropy from the existing callback. This is mainly used for KATs.
+ */
+static size_t get_entropy(DRBG_CTX *dctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ if (dctx->get_entropy != NULL)
+ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
+ /* TODO: Get from parent if it exists. */
+ return 0;
+}
+
+/*
+ * Cleanup entropy.
+ */
+static void cleanup_entropy(DRBG_CTX *dctx, unsigned char *out, size_t olen)
+{
+ if (dctx->cleanup_entropy != NULL)
+ dctx->cleanup_entropy(dctx, out, olen);
+}
+
+/*
+ * The OpenSSL model is to have new and free functions, and that new
+ * does all initialization. That is not the NIST model, which has
+ * instantiation and un-instantiate, and re-use within a new/free
+ * lifecycle. (No doubt this comes from the desire to support hardware
+ * DRBG, where allocation of resources on something like an HSM is
+ * a much bigger deal than just re-setting an allocated resource.)
+ *
+ * The DRBG_CTX is OpenSSL's opaque pointer to an instance of the
+ * DRBG.
+ */
+
+/*
+ * Set/initialize |dctx| to be of type |nid|, with optional |flags|.
+ * Return -2 if the type is not supported, 1 on success and -1 on
+ * failure.
+ */
+int RAND_DRBG_set(DRBG_CTX *dctx, int nid, unsigned int flags)
+{
+ int ret = 1;
+
+ dctx->status = DRBG_STATUS_UNINITIALISED;
+ dctx->flags = flags;
+ dctx->nid = nid;
+
+ switch (nid) {
+ default:
+ RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
+ return -2;
+ case 0:
+ /* Uninitialized; that's okay. */
+ return 1;
+ case NID_aes_128_ctr:
+ case NID_aes_192_ctr:
+ case NID_aes_256_ctr:
+ ret = ctr_init(dctx);
+ break;
+ }
+
+ if (ret < 0)
+ RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG);
+ return ret;
+}
+
+/*
+ * Allocate memory and initialize a new DRBG. The |parent|, if not
+ * NULL, will be used to auto-seed this DRBG_CTX as needed.
+ */
+DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent)
+{
+ DRBG_CTX *dctx = OPENSSL_zalloc(sizeof(*dctx));
+
+ if (dctx == NULL) {
+ RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+
+ dctx->parent = parent;
+ if (RAND_DRBG_set(dctx, type, flags) < 0) {
+ OPENSSL_free(dctx);
+ return NULL;
+ }
+ return dctx;
+}
+
+/*
+ * Uninstantiate |dctx| and free all memory.
+ */
+void RAND_DRBG_free(DRBG_CTX *dctx)
+{
+ if (dctx == NULL)
+ return;
+
+ ctr_uninstantiate(dctx);
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, dctx, &dctx->ex_data);
+
+ /* Don't free up default DRBG */
+ if (dctx == RAND_DRBG_get_default()) {
+ memset(dctx, 0, sizeof(DRBG_CTX));
+ dctx->nid = 0;
+ dctx->status = DRBG_STATUS_UNINITIALISED;
+ } else {
+ OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr));
+ OPENSSL_free(dctx);
+ }
+}
+
+/*
+ * Instantiate |dctx|, after it has been initialized. Use |pers| and
+ * |perslen| as prediction-resistance input.
+ */
+int RAND_DRBG_instantiate(DRBG_CTX *dctx,
+ const unsigned char *pers, size_t perslen)
+{
+ size_t entlen = 0, noncelen = 0;
+ unsigned char *nonce = NULL, *entropy = NULL;
+ int r = 0;
+
+ if (perslen > dctx->max_pers) {
+ r = RAND_R_PERSONALISATION_STRING_TOO_LONG;
+ goto end;
+ }
+ if (dctx->status != DRBG_STATUS_UNINITIALISED) {
+ r = dctx->status == DRBG_STATUS_ERROR ? RAND_R_IN_ERROR_STATE
+ : RAND_R_ALREADY_INSTANTIATED;
+ goto end;
+ }
+
+ dctx->status = DRBG_STATUS_ERROR;
+ entlen = get_entropy(dctx, &entropy, dctx->strength,
+ dctx->min_entropy, dctx->max_entropy);
+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
+ r = RAND_R_ERROR_RETRIEVING_ENTROPY;
+ goto end;
+ }
+
+ if (dctx->max_nonce > 0 && dctx->get_nonce != NULL) {
+ noncelen = dctx->get_nonce(dctx, &nonce,
+ dctx->strength / 2,
+ dctx->min_nonce, dctx->max_nonce);
+
+ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
+ r = RAND_R_ERROR_RETRIEVING_NONCE;
+ goto end;
+ }
+ }
+
+ if (!ctr_instantiate(dctx, entropy, entlen,
+ nonce, noncelen, pers, perslen)) {
+ r = RAND_R_ERROR_INSTANTIATING_DRBG;
+ goto end;
+ }
+
+ dctx->status = DRBG_STATUS_READY;
+ dctx->reseed_counter = 1;
+
+end:
+ if (entropy != NULL && dctx->cleanup_entropy != NULL)
+ dctx->cleanup_entropy(dctx, entropy, entlen);
+ if (nonce != NULL && dctx->cleanup_nonce!= NULL )
+ dctx->cleanup_nonce(dctx, nonce, noncelen);
+ if (dctx->status == DRBG_STATUS_READY)
+ return 1;
+
+ if (r)
+ RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, r);
+ return 0;
+}
+
+/*
+ * Uninstantiate |dctx|. Must be instantiated before it can be used.
+ */
+int RAND_DRBG_uninstantiate(DRBG_CTX *dctx)
+{
+ int ret = ctr_uninstantiate(dctx);
+
+ OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr));
+ dctx->status = DRBG_STATUS_UNINITIALISED;
+ return ret;
+}
+
+/*
+ * Mix in the specified data to reseed |dctx|.
+ */
+int RAND_DRBG_reseed(DRBG_CTX *dctx,
+ const unsigned char *adin, size_t adinlen)
+{
+ unsigned char *entropy = NULL;
+ size_t entlen = 0;
+ int r = 0;
+
+ if (dctx->status != DRBG_STATUS_READY
+ && dctx->status != DRBG_STATUS_RESEED) {
+ if (dctx->status == DRBG_STATUS_ERROR)
+ r = RAND_R_IN_ERROR_STATE;
+ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
+ r = RAND_R_NOT_INSTANTIATED;
+ goto end;
+ }
+
+ if (adin == NULL)
+ adinlen = 0;
+ else if (adinlen > dctx->max_adin) {
+ r = RAND_R_ADDITIONAL_INPUT_TOO_LONG;
+ goto end;
+ }
+
+ dctx->status = DRBG_STATUS_ERROR;
+ entlen = get_entropy(dctx, &entropy, dctx->strength,
+ dctx->min_entropy, dctx->max_entropy);
+
+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
+ r = RAND_R_ERROR_RETRIEVING_ENTROPY;
+ goto end;
+ }
+
+ if (!ctr_reseed(dctx, entropy, entlen, adin, adinlen))
+ goto end;
+ dctx->status = DRBG_STATUS_READY;
+ dctx->reseed_counter = 1;
+
+end:
+ if (entropy != NULL && dctx->cleanup_entropy != NULL)
+ cleanup_entropy(dctx, entropy, entlen);
+ if (dctx->status == DRBG_STATUS_READY)
+ return 1;
+ if (r)
+ RANDerr(RAND_F_RAND_DRBG_RESEED, r);
+
+ return 0;
+}
+
+/*
+ * Generate |outlen| bytes into the buffer at |out|. Reseed if we need
+ * to or if |prediction_resistance| is set. Additional input can be
+ * sent in |adin| and |adinlen|.
+ */
+int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
+ int prediction_resistance,
+ const unsigned char *adin, size_t adinlen)
+{
+ int r = 0;
+
+ if (dctx->status != DRBG_STATUS_READY
+ && dctx->status != DRBG_STATUS_RESEED) {
+ if (dctx->status == DRBG_STATUS_ERROR)
+ r = RAND_R_IN_ERROR_STATE;
+ else if(dctx->status == DRBG_STATUS_UNINITIALISED)
+ r = RAND_R_NOT_INSTANTIATED;
+ goto end;
+ }
+
+ if (outlen > dctx->max_request) {
+ r = RAND_R_REQUEST_TOO_LARGE_FOR_DRBG;
+ return 0;
+ }
+ if (adinlen > dctx->max_adin) {
+ r = RAND_R_ADDITIONAL_INPUT_TOO_LONG;
+ goto end;
+ }
+
+ if (dctx->reseed_counter >= dctx->reseed_interval)
+ dctx->status = DRBG_STATUS_RESEED;
+
+ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
+ if (!RAND_DRBG_reseed(dctx, adin, adinlen)) {
+ r = RAND_R_RESEED_ERROR;
+ goto end;
+ }
+ adin = NULL;
+ adinlen = 0;
+ }
+
+ if (!ctr_generate(dctx, out, outlen, adin, adinlen)) {
+ r = RAND_R_GENERATE_ERROR;
+ dctx->status = DRBG_STATUS_ERROR;
+ goto end;
+ }
+ if (dctx->reseed_counter >= dctx->reseed_interval)
+ dctx->status = DRBG_STATUS_RESEED;
+ else
+ dctx->reseed_counter++;
+ return 1;
+
+end:
+ RANDerr(RAND_F_RAND_DRBG_GENERATE, r);
+ return 0;
+}
+
+/*
+ * Set the callbacks for entropy and nonce. Used mainly for the KATs
+ */
+int RAND_DRBG_set_callbacks(DRBG_CTX *dctx,
+ size_t (*cb_get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len),
+ void (*cb_cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
+ size_t (*cb_get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len),
+ void (*cb_cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
+{
+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
+ return 0;
+ dctx->get_entropy = cb_get_entropy;
+ dctx->cleanup_entropy = cb_cleanup_entropy;
+ dctx->get_nonce = cb_get_nonce;
+ dctx->cleanup_nonce = cb_cleanup_nonce;
+ return 1;
+}
+
+/*
+ * Set the reseed internal. Used mainly for the KATs.
+ */
+void RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval)
+{
+ dctx->reseed_interval = interval;
+}
+
+/*
+ * Get and set the EXDATA
+ */
+int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg)
+{
+ return CRYPTO_set_ex_data(&dctx->ex_data, idx, arg);
+}
+
+void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx)
+{
+ return CRYPTO_get_ex_data(&dctx->ex_data, idx);
+}
diff --git a/crypto/rand/drbg_rand.c b/crypto/rand/drbg_rand.c
new file mode 100644
index 0000000..858f74a
--- /dev/null
+++ b/crypto/rand/drbg_rand.c
@@ -0,0 +1,449 @@
+/*
+ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include "rand_lcl.h"
+#include "internal/thread_once.h"
+
+/*
+ * Mapping of NIST SP 800-90A DRBG to OpenSSL RAND_METHOD.
+ */
+
+
+/*
+ * The default global DRBG and its auto-init/auto-cleanup.
+ */
+static DRBG_CTX ossl_drbg;
+
+static CRYPTO_ONCE ossl_drbg_init = CRYPTO_ONCE_STATIC_INIT;
+
+DEFINE_RUN_ONCE_STATIC(do_ossl_drbg_init)
+{
+ ossl_drbg.lock = CRYPTO_THREAD_lock_new();
+ return ossl_drbg.lock != NULL;
+}
+
+void rand_drbg_cleanup(void)
+{
+ CRYPTO_THREAD_lock_free(ossl_drbg.lock);
+}
+
+static void inc_128(DRBG_CTR_CTX *cctx)
+{
+ int i;
+ unsigned char c;
+ unsigned char *p = &cctx->V[15];
+
+ for (i = 0; i < 16; i++, p--) {
+ c = *p;
+ c++;
+ *p = c;
+ if (c != 0) {
+ /* If we didn't wrap around, we're done. */
+ break;
+ }
+ }
+}
+
+static void ctr_XOR(DRBG_CTR_CTX *cctx, const unsigned char *in, size_t inlen)
+{
+ size_t i, n;
+
+ if (in == NULL || inlen == 0)
+ return;
+
+ /*
+ * Any zero padding will have no effect on the result as we
+ * are XORing. So just process however much input we have.
+ */
+ n = inlen < cctx->keylen ? inlen : cctx->keylen;
+ for (i = 0; i < n; i++)
+ cctx->K[i] ^= in[i];
+ if (inlen <= cctx->keylen)
+ return;
+
+ n = inlen - cctx->keylen;
+ if (n > 16) {
+ /* Should never happen */
+ n = 16;
+ }
+ for (i = 0; i < 16; i++)
+ cctx->V[i] ^= in[i + cctx->keylen];
+}
+
+/*
+ * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
+ */
+static void ctr_BCC_block(DRBG_CTR_CTX *cctx, unsigned char *out,
+ const unsigned char *in)
+{
+ int i;
+
+ for (i = 0; i < 16; i++)
+ out[i] ^= in[i];
+ AES_encrypt(out, out, &cctx->df_ks);
+}
+
+
+/*
+ * Handle several BCC operations for as much data as we need for K and X
+ */
+static void ctr_BCC_blocks(DRBG_CTR_CTX *cctx, const unsigned char *in)
+{
+ ctr_BCC_block(cctx, cctx->KX, in);
+ ctr_BCC_block(cctx, cctx->KX + 16, in);
+ if (cctx->keylen != 16)
+ ctr_BCC_block(cctx, cctx->KX + 32, in);
+}
+
+/*
+ * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
+ * see 10.3.1 stage 7.
+ */
+static void ctr_BCC_init(DRBG_CTR_CTX *cctx)
+{
+ memset(cctx->KX, 0, 48);
+ memset(cctx->bltmp, 0, 16);
+ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
+ cctx->bltmp[3] = 1;
+ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
+ if (cctx->keylen != 16) {
+ cctx->bltmp[3] = 2;
+ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
+ }
+}
+
+/*
+ * Process several blocks into BCC algorithm, some possibly partial
+ */
+static void ctr_BCC_update(DRBG_CTR_CTX *cctx,
+ const unsigned char *in, size_t inlen)
+{
+ if (in == NULL || inlen == 0)
+ return;
+
+ /* If we have partial block handle it first */
+ if (cctx->bltmp_pos) {
+ size_t left = 16 - cctx->bltmp_pos;
+
+ /* If we now have a complete block process it */
+ if (inlen >= left) {
+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
+ ctr_BCC_blocks(cctx, cctx->bltmp);
+ cctx->bltmp_pos = 0;
+ inlen -= left;
+ in += left;
+ }
+ }
+
+ /* Process zero or more complete blocks */
+ for (; inlen >= 16; in += 16, inlen -= 16) {
+ ctr_BCC_blocks(cctx, in);
+ }
+
+ /* Copy any remaining partial block to the temporary buffer */
+ if (inlen > 0) {
+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
+ cctx->bltmp_pos += inlen;
+ }
+}
+
+static void ctr_BCC_final(DRBG_CTR_CTX *cctx)
+{
+ if (cctx->bltmp_pos) {
+ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
+ ctr_BCC_blocks(cctx, cctx->bltmp);
+ }
+}
+
+static void ctr_df(DRBG_CTR_CTX *cctx,
+ const unsigned char *in1, size_t in1len,
+ const unsigned char *in2, size_t in2len,
+ const unsigned char *in3, size_t in3len)
+{
+ static unsigned char c80 = 0x80;
+ size_t inlen;
+ unsigned char *p = cctx->bltmp;
+
+ ctr_BCC_init(cctx);
+ if (in1 == NULL)
+ in1len = 0;
+ if (in2 == NULL)
+ in2len = 0;
+ if (in3 == NULL)
+ in3len = 0;
+ inlen = in1len + in2len + in3len;
+ /* Initialise L||N in temporary block */
+ *p++ = (inlen >> 24) & 0xff;
+ *p++ = (inlen >> 16) & 0xff;
+ *p++ = (inlen >> 8) & 0xff;
+ *p++ = inlen & 0xff;
+
+ /* NB keylen is at most 32 bytes */
+ *p++ = 0;
+ *p++ = 0;
+ *p++ = 0;
+ *p = (unsigned char)((cctx->keylen + 16) & 0xff);
+ cctx->bltmp_pos = 8;
+ ctr_BCC_update(cctx, in1, in1len);
+ ctr_BCC_update(cctx, in2, in2len);
+ ctr_BCC_update(cctx, in3, in3len);
+ ctr_BCC_update(cctx, &c80, 1);
+ ctr_BCC_final(cctx);
+ /* Set up key K */
+ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
+ /* X follows key K */
+ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
+ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
+ if (cctx->keylen != 16)
+ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
+}
+
+/*
+ * NB the no-df Update in SP800-90A specifies a constant input length
+ * of seedlen, however other uses of this algorithm pad the input with
+ * zeroes if necessary and have up to two parameters XORed together,
+ * handle both cases in this function instead.
+ */
+static void ctr_update(DRBG_CTX *dctx,
+ const unsigned char *in1, size_t in1len,
+ const unsigned char *in2, size_t in2len,
+ const unsigned char *nonce, size_t noncelen)
+{
+ DRBG_CTR_CTX *cctx = &dctx->ctr;
+
+ /* ks is already setup for correct key */
+ inc_128(cctx);
+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
+
+ /* If keylen longer than 128 bits need extra encrypt */
+ if (cctx->keylen != 16) {
+ inc_128(cctx);
+ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
+ }
+ inc_128(cctx);
+ AES_encrypt(cctx->V, cctx->V, &cctx->ks);
+
+ /* If 192 bit key part of V is on end of K */
+ if (cctx->keylen == 24) {
+ memcpy(cctx->V + 8, cctx->V, 8);
+ memcpy(cctx->V, cctx->K + 24, 8);
+ }
+
+ if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
+ /* If no input reuse existing derived value */
+ if (in1 != NULL || nonce != NULL || in2 != NULL)
+ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
+ /* If this a reuse input in1len != 0 */
+ if (in1len)
+ ctr_XOR(cctx, cctx->KX, dctx->seedlen);
+ } else {
+ ctr_XOR(cctx, in1, in1len);
+ ctr_XOR(cctx, in2, in2len);
+ }
+
+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
+}
+
+int ctr_instantiate(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t entlen,
+ const unsigned char *nonce, size_t noncelen,
+ const unsigned char *pers, size_t perslen)
+{
+ DRBG_CTR_CTX *cctx = &dctx->ctr;
+
+ memset(cctx->K, 0, sizeof(cctx->K));
+ memset(cctx->V, 0, sizeof(cctx->V));
+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
+ ctr_update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
+ return 1;
+}
+
+int ctr_reseed(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t entlen,
+ const unsigned char *adin, size_t adinlen)
+{
+ ctr_update(dctx, ent, entlen, adin, adinlen, NULL, 0);
+ return 1;
+}
+
+int ctr_generate(DRBG_CTX *dctx,
+ unsigned char *out, size_t outlen,
+ const unsigned char *adin, size_t adinlen)
+{
+ DRBG_CTR_CTX *cctx = &dctx->ctr;
+
+ if (adin != NULL && adinlen != 0) {
+ ctr_update(dctx, adin, adinlen, NULL, 0, NULL, 0);
+ /* This means we reuse derived value */
+ if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
+ adin = NULL;
+ adinlen = 1;
+ }
+ } else {
+ adinlen = 0;
+ }
+
+ for ( ; ; ) {
+ inc_128(cctx);
+ if (outlen < 16) {
+ /* Use K as temp space as it will be updated */
+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
+ memcpy(out, cctx->K, outlen);
+ break;
+ }
+ AES_encrypt(cctx->V, out, &cctx->ks);
+ out += 16;
+ outlen -= 16;
+ if (outlen == 0)
+ break;
+ }
+
+ ctr_update(dctx, adin, adinlen, NULL, 0, NULL, 0);
+ return 1;
+}
+
+int ctr_uninstantiate(DRBG_CTX *dctx)
+{
+ memset(&dctx->ctr, 0, sizeof(dctx->ctr));
+ return 1;
+}
+
+int ctr_init(DRBG_CTX *dctx)
+{
+ DRBG_CTR_CTX *cctx = &dctx->ctr;
+ size_t keylen;
+
+ switch (dctx->nid) {
+ default:
+ /* This can't happen, but silence the compiler warning. */
+ return -1;
+ case NID_aes_128_ctr:
+ keylen = 16;
+ break;
+ case NID_aes_192_ctr:
+ keylen = 24;
+ break;
+ case NID_aes_256_ctr:
+ keylen = 32;
+ break;
+ }
+
+ cctx->keylen = keylen;
+ dctx->strength = keylen * 8;
+ dctx->blocklength = 16;
+ dctx->seedlen = keylen + 16;
+
+ if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
+ /* df initialisation */
+ static unsigned char df_key[32] = {
+ 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+ 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
+ 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
+ 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
+ };
+ /* Set key schedule for df_key */
+ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
+
+ dctx->min_entropy = cctx->keylen;
+ dctx->max_entropy = DRBG_MAX_LENGTH;
+ dctx->min_nonce = dctx->min_entropy / 2;
+ dctx->max_nonce = DRBG_MAX_LENGTH;
+ dctx->max_pers = DRBG_MAX_LENGTH;
+ dctx->max_adin = DRBG_MAX_LENGTH;
+ } else {
+ dctx->min_entropy = dctx->seedlen;
+ dctx->max_entropy = dctx->seedlen;
+ /* Nonce not used */
+ dctx->min_nonce = 0;
+ dctx->max_nonce = 0;
+ dctx->max_pers = dctx->seedlen;
+ dctx->max_adin = dctx->seedlen;
+ }
+
+ dctx->max_request = 1 << 16;
+ dctx->reseed_interval = 1 << 24;
+ return 1;
+}
+
+
+/*
+ * The following function tie the DRBG code into the RAND_METHOD
+ */
+
+DRBG_CTX *RAND_DRBG_get_default(void)
+{
+ if (!RUN_ONCE(&ossl_drbg_init, do_ossl_drbg_init))
+ return NULL;
+ return &ossl_drbg;
+}
+
+static int drbg_bytes(unsigned char *out, int count)
+{
+ DRBG_CTX *dctx = RAND_DRBG_get_default();
+ int ret = 0;
+
+ CRYPTO_THREAD_write_lock(dctx->lock);
+ do {
+ size_t rcnt;
+
+ if (count > (int)dctx->max_request)
+ rcnt = dctx->max_request;
+ else
+ rcnt = count;
+ ret = RAND_DRBG_generate(dctx, out, rcnt, 0, NULL, 0);
+ if (!ret)
+ goto err;
+ out += rcnt;
+ count -= rcnt;
+ } while (count);
+ ret = 1;
+err:
+ CRYPTO_THREAD_unlock(dctx->lock);
+ return ret;
+}
+
+static int drbg_status(void)
+{
+ DRBG_CTX *dctx = RAND_DRBG_get_default();
+ int ret;
+
+ CRYPTO_THREAD_write_lock(dctx->lock);
+ ret = dctx->status == DRBG_STATUS_READY ? 1 : 0;
+ CRYPTO_THREAD_unlock(dctx->lock);
+ return ret;
+}
+
+static void drbg_cleanup(void)
+{
+ DRBG_CTX *dctx = RAND_DRBG_get_default();
+
+ CRYPTO_THREAD_write_lock(dctx->lock);
+ RAND_DRBG_uninstantiate(dctx);
+ CRYPTO_THREAD_unlock(dctx->lock);
+}
+
+static const RAND_METHOD rand_drbg_meth =
+{
+ NULL,
+ drbg_bytes,
+ drbg_cleanup,
+ NULL,
+ drbg_bytes,
+ drbg_status
+};
+
+const RAND_METHOD *RAND_drbg(void)
+{
+ return &rand_drbg_meth;
+}
diff --git a/crypto/rand/ossl_rand.c b/crypto/rand/ossl_rand.c
index 016653d..1b4b21b 100644
--- a/crypto/rand/ossl_rand.c
+++ b/crypto/rand/ossl_rand.c
@@ -38,8 +38,8 @@ typedef struct ossl_rand_state_st OSSL_RAND_STATE;
struct ossl_rand_state_st {
size_t num;
size_t index;
- unsigned char state[STATE_SIZE + RAND_DIGEST_LENGTH];
- unsigned char md[RAND_DIGEST_LENGTH];
+ unsigned char state[STATE_SIZE + SHA_DIGEST_LENGTH];
+ unsigned char md[SHA_DIGEST_LENGTH];
long md_count[2];
};
@@ -103,7 +103,7 @@ static int rand_add(const void *buf, int num, double add)
{
int i, j, k, st_idx;
long md_c[2];
- unsigned char local_md[RAND_DIGEST_LENGTH];
+ unsigned char local_md[SHA_DIGEST_LENGTH];
EVP_MD_CTX *m;
int do_not_lock;
int rv = 0;
@@ -178,18 +178,18 @@ static int rand_add(const void *buf, int num, double add)
* will use now, but other threads may use them as well
*/
- sp->md_count[1] += (num / RAND_DIGEST_LENGTH) + (num % RAND_DIGEST_LENGTH > 0);
+ sp->md_count[1] += (num / SHA_DIGEST_LENGTH) + (num % SHA_DIGEST_LENGTH > 0);
if (!do_not_lock)
CRYPTO_THREAD_unlock(rand_lock);
- for (i = 0; i < num; i += RAND_DIGEST_LENGTH) {
+ for (i = 0; i < num; i += SHA_DIGEST_LENGTH) {
j = (num - i);
- j = (j > RAND_DIGEST_LENGTH) ? RAND_DIGEST_LENGTH : j;
+ j = (j > SHA_DIGEST_LENGTH) ? SHA_DIGEST_LENGTH : j;
- if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL))
+ if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL))
goto err;
- if (!EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH))
+ if (!EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH))
goto err;
k = (st_idx + j) - STATE_SIZE;
if (k > 0) {
@@ -268,7 +268,7 @@ static int rand_bytes(unsigned char *buf, int num)
size_t num_ceil, st_idx, st_num;
int ok;
long md_c[2];
- unsigned char local_md[RAND_DIGEST_LENGTH];
+ unsigned char local_md[SHA_DIGEST_LENGTH];
EVP_MD_CTX *m;
OSSL_RAND_STATE *sp = &global_state;
#ifndef GETPID_IS_MEANINGLESS
@@ -314,9 +314,9 @@ static int rand_bytes(unsigned char *buf, int num)
if (m == NULL)
goto err_mem;
- /* round upwards to multiple of RAND_DIGEST_LENGTH/2 */
+ /* round upwards to multiple of SHA_DIGEST_LENGTH/2 */
num_ceil =
- (1 + (num - 1) / (RAND_DIGEST_LENGTH / 2)) * (RAND_DIGEST_LENGTH / 2);
+ (1 + (num - 1) / (SHA_DIGEST_LENGTH / 2)) * (SHA_DIGEST_LENGTH / 2);
/*
* (Based on the rand(3) manpage:)
@@ -389,16 +389,16 @@ static int rand_bytes(unsigned char *buf, int num)
int n = STATE_SIZE; /* so that the complete pool gets accessed */
while (n > 0) {
-#if RAND_DIGEST_LENGTH > 20
+#if SHA_DIGEST_LENGTH > 20
# error "Please adjust DUMMY_SEED."
#endif
-#define DUMMY_SEED "...................." /* at least RAND_DIGEST_LENGTH */
+#define DUMMY_SEED "...................." /* at least SHA_DIGEST_LENGTH */
/*
* Note that the seed does not matter, it's just that
* rand_add expects to have something to hash.
*/
- rand_add(DUMMY_SEED, RAND_DIGEST_LENGTH, 0.0);
- n -= RAND_DIGEST_LENGTH;
+ rand_add(DUMMY_SEED, SHA_DIGEST_LENGTH, 0.0);
+ n -= SHA_DIGEST_LENGTH;
}
if (ok)
stirred_pool = 1;
@@ -427,10 +427,10 @@ static int rand_bytes(unsigned char *buf, int num)
CRYPTO_THREAD_unlock(rand_lock);
while (num > 0) {
- /* num_ceil -= RAND_DIGEST_LENGTH / 2 */
- j = (num >= RAND_DIGEST_LENGTH / 2) ? RAND_DIGEST_LENGTH / 2 : num;
+ /* num_ceil -= SHA_DIGEST_LENGTH / 2 */
+ j = (num >= SHA_DIGEST_LENGTH / 2) ? SHA_DIGEST_LENGTH / 2 : num;
num -= j;
- if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL))
+ if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL))
goto err;
#ifndef GETPID_IS_MEANINGLESS
if (curr_pid) { /* just in the first iteration to save time */
@@ -448,35 +448,35 @@ static int rand_bytes(unsigned char *buf, int num)
if (!rand_hw_seed(m))
goto err;
}
- if (!EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH))
+ if (!EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH))
goto err;
if (!EVP_DigestUpdate(m, (unsigned char *)md_c, sizeof(md_c)))
goto err;
- k = (st_idx + RAND_DIGEST_LENGTH / 2) - st_num;
+ k = (st_idx + SHA_DIGEST_LENGTH / 2) - st_num;
if (k > 0) {
- if (!EVP_DigestUpdate(m, &sp->state[st_idx], RAND_DIGEST_LENGTH / 2 - k))
+ if (!EVP_DigestUpdate(m, &sp->state[st_idx], SHA_DIGEST_LENGTH / 2 - k))
goto err;
if (!EVP_DigestUpdate(m, &sp->state[0], k))
goto err;
- } else if (!EVP_DigestUpdate(m, &sp->state[st_idx], RAND_DIGEST_LENGTH / 2))
+ } else if (!EVP_DigestUpdate(m, &sp->state[st_idx], SHA_DIGEST_LENGTH / 2))
goto err;
if (!EVP_DigestFinal_ex(m, local_md, NULL))
goto err;
- for (i = 0; i < RAND_DIGEST_LENGTH / 2; i++) {
+ for (i = 0; i < SHA_DIGEST_LENGTH / 2; i++) {
/* may compete with other threads */
sp->state[st_idx++] ^= local_md[i];
if (st_idx >= st_num)
st_idx = 0;
if (i < j)
- *(buf++) = local_md[i + RAND_DIGEST_LENGTH / 2];
+ *(buf++) = local_md[i + SHA_DIGEST_LENGTH / 2];
}
}
- if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL)
+ if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL)
|| !EVP_DigestUpdate(m, (unsigned char *)md_c, sizeof(md_c))
- || !EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH))
+ || !EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH))
goto err;
CRYPTO_THREAD_write_lock(rand_lock);
/*
diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c
index 3513ac9..707f010 100644
--- a/crypto/rand/rand_err.c
+++ b/crypto/rand/rand_err.c
@@ -14,20 +14,58 @@
#ifndef OPENSSL_NO_ERR
static const ERR_STRING_DATA RAND_str_functs[] = {
+ {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_BYTES, 0), "drbg_bytes"},
+ {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_GET_ENTROPY, 0), "drbg_get_entropy"},
+ {ERR_PACK(ERR_LIB_RAND, RAND_F_GET_ENTROPY, 0), "get_entropy"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_BYTES, 0), "RAND_bytes"},
+ {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_GENERATE, 0),
+ "RAND_DRBG_generate"},
+ {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_INSTANTIATE, 0),
+ "RAND_DRBG_instantiate"},
+ {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_NEW, 0), "RAND_DRBG_new"},
+ {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_RESEED, 0), "RAND_DRBG_reseed"},
+ {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_SET, 0), "RAND_DRBG_set"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_LOAD_FILE, 0), "RAND_load_file"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_WRITE_FILE, 0), "RAND_write_file"},
{0, NULL}
};
static const ERR_STRING_DATA RAND_str_reasons[] = {
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ADDITIONAL_INPUT_TOO_LONG),
+ "additional input too long"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ALREADY_INSTANTIATED),
+ "already instantiated"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_CANNOT_OPEN_FILE), "Cannot open file"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_DRBG_NOT_INITIALISED),
+ "drbg not initialised"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_INITIALISING_DRBG),
+ "error initialising drbg"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_INSTANTIATING_DRBG),
+ "error instantiating drbg"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT),
+ "error retrieving additional input"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_RETRIEVING_ENTROPY),
+ "error retrieving entropy"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_RETRIEVING_NONCE),
+ "error retrieving nonce"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_FUNC_NOT_IMPLEMENTED),
"Function not implemented"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_FWRITE_ERROR), "Error writing file"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_GENERATE_ERROR), "generate error"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_INTERNAL_ERROR), "internal error"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_IN_ERROR_STATE), "in error state"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_NOT_A_REGULAR_FILE),
"Not a regular file"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_NOT_INSTANTIATED), "not instantiated"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PERSONALISATION_STRING_TOO_LONG),
+ "personalisation string too long"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PRNG_NOT_SEEDED), "PRNG not seeded"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_REQUEST_TOO_LARGE_FOR_DRBG),
+ "request too large for drbg"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_RESEED_ERROR), "reseed error"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_SELFTEST_FAILURE), "selftest failure"},
+ {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_UNSUPPORTED_DRBG_TYPE),
+ "unsupported drbg type"},
{0, NULL}
};
diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h
index 69c9630..d65d49f 100644
--- a/crypto/rand/rand_lcl.h
+++ b/crypto/rand/rand_lcl.h
@@ -10,15 +10,93 @@
#ifndef HEADER_RAND_LCL_H
# define HEADER_RAND_LCL_H
+# include <openssl/aes.h>
+# include <openssl/evp.h>
+# include <openssl/sha.h>
+# include <openssl/hmac.h>
+# include <openssl/ec.h>
+# include "include/internal/rand.h"
+
/* we require 256 bits of randomness */
# define RANDOMNESS_NEEDED (256 / 8)
-# include <openssl/evp.h>
-# include <openssl/sha.h>
+/* DRBG status values */
+#define DRBG_STATUS_UNINITIALISED 0
+#define DRBG_STATUS_READY 1
+#define DRBG_STATUS_RESEED 2
+#define DRBG_STATUS_ERROR 3
+
+/* A default maximum length: larger than any reasonable value used in pratice */
+#define DRBG_MAX_LENGTH 0x7ffffff0
+
+typedef struct drbg_ctr_ctx_st {
+ AES_KEY ks;
+ size_t keylen;
+ unsigned char K[32];
+ unsigned char V[16];
+ /* Temp variables used by derivation function */
+ AES_KEY df_ks;
+ AES_KEY df_kxks;
+ /* Temporary block storage used by ctr_df */
+ unsigned char bltmp[16];
+ size_t bltmp_pos;
+ unsigned char KX[48];
+} DRBG_CTR_CTX;
+
+struct drbg_ctx_st {
+ CRYPTO_RWLOCK *lock;
+ DRBG_CTX *parent;
+ int nid; /* the NID of the underlying algorithm */
+ unsigned int flags; /* various external flags */
+
+ /* The following parameters are setup by mechanism drbg_init() call */
+ int strength;
+ size_t blocklength;
+ size_t max_request;
+ size_t min_entropy, max_entropy;
+ size_t min_nonce, max_nonce;
+ size_t max_pers, max_adin;
+ unsigned int reseed_counter;
+ unsigned int reseed_interval;
+ size_t seedlen;
+ int status;
+
+ /* Application data: typically (only?) used by test get_entropy */
+ CRYPTO_EX_DATA ex_data;
+
+ /* Implementation specific structures */
+ DRBG_CTR_CTX ctr;
+
+ /* entropy gathering function */
+ size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len);
+ /* Indicates we have finished with entropy buffer */
+ void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
+
+ /* nonce gathering function */
+ size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len);
+ /* Indicates we have finished with nonce buffer */
+ void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
+};
-# define RAND_DIGEST EVP_sha1()
-# define RAND_DIGEST_LENGTH SHA_DIGEST_LENGTH
extern RAND_METHOD openssl_rand_meth;
+void rand_drbg_cleanup(void);
+
+int ctr_init(DRBG_CTX *dctx);
+int drbg_hash_init(DRBG_CTX *dctx);
+int drbg_hmac_init(DRBG_CTX *dctx);
+int ctr_uninstantiate(DRBG_CTX *dctx);
+int ctr_instantiate(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t entlen,
+ const unsigned char *nonce, size_t noncelen,
+ const unsigned char *pers, size_t perslen);
+int ctr_reseed(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t entlen,
+ const unsigned char *adin, size_t adinlen);
+int ctr_generate(DRBG_CTX *dctx,
+ unsigned char *out, size_t outlen,
+ const unsigned char *adin, size_t adinlen);
#endif
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 1a1e282..c021486 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -49,6 +49,7 @@ void rand_cleanup_int(void)
CRYPTO_THREAD_lock_free(rand_engine_lock);
#endif
CRYPTO_THREAD_lock_free(rand_meth_lock);
+ rand_drbg_cleanup();
}
int RAND_set_rand_method(const RAND_METHOD *meth)
diff --git a/include/internal/rand.h b/include/internal/rand.h
new file mode 100644
index 0000000..95ad712
--- /dev/null
+++ b/include/internal/rand.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_DRBG_RAND_H
+# define HEADER_DRBG_RAND_H
+
+/* Flag for CTR mode only: use derivation function ctr_df */
+#define RAND_DRBG_FLAG_CTR_USE_DF 0x2
+
+const RAND_METHOD *RAND_drbg(void);
+
+int RAND_DRBG_set(DRBG_CTX *ctx, int type, unsigned int flags);
+DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent);
+int RAND_DRBG_instantiate(DRBG_CTX *dctx,
+ const unsigned char *pers, size_t perslen);
+int RAND_DRBG_uninstantiate(DRBG_CTX *dctx);
+int RAND_DRBG_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
+int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
+ int prediction_resistance,
+ const unsigned char *adin, size_t adinlen);
+void RAND_DRBG_free(DRBG_CTX *dctx);
+
+int RAND_DRBG_set_callbacks(DRBG_CTX *dctx,
+ size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len),
+ void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
+ size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len),
+ void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen)
+ );
+
+void RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval);
+
+#define RAND_DRBG_get_ex_new_index(l, p, newf, dupf, freef) \
+ CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DRBG, l, p, newf, dupf, freef)
+int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg);
+void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx);
+
+DRBG_CTX *RAND_DRBG_get_default(void);
+
+
+#endif
+
+
diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index ad2cfe5..f0bc98f 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h
@@ -107,7 +107,8 @@ DEFINE_STACK_OF(void)
# define CRYPTO_EX_INDEX_BIO 12
# define CRYPTO_EX_INDEX_APP 13
# define CRYPTO_EX_INDEX_UI_METHOD 14
-# define CRYPTO_EX_INDEX__COUNT 15
+# define CRYPTO_EX_INDEX_DRBG 15
+# define CRYPTO_EX_INDEX__COUNT 16
/*
* This is the default callbacks, but we can have others as well: this is
diff --git a/include/openssl/ossl_typ.h b/include/openssl/ossl_typ.h
index 173a42d..49bdead 100644
--- a/include/openssl/ossl_typ.h
+++ b/include/openssl/ossl_typ.h
@@ -114,6 +114,7 @@ typedef struct ec_key_st EC_KEY;
typedef struct ec_key_method_st EC_KEY_METHOD;
typedef struct rand_meth_st RAND_METHOD;
+typedef struct drbg_ctx_st DRBG_CTX;
typedef struct ssl_dane_st SSL_DANE;
typedef struct x509_st X509;
diff --git a/include/openssl/rand.h b/include/openssl/rand.h
index 5cda71b..b6b33cf 100644
--- a/include/openssl/rand.h
+++ b/include/openssl/rand.h
@@ -38,15 +38,15 @@ const RAND_METHOD *RAND_get_rand_method(void);
int RAND_set_rand_engine(ENGINE *engine);
# endif
RAND_METHOD *RAND_OpenSSL(void);
-#if OPENSSL_API_COMPAT < 0x10100000L
-# define RAND_cleanup() while(0) continue
-#endif
+# if OPENSSL_API_COMPAT < 0x10100000L
+# define RAND_cleanup() while(0) continue
+# endif
int RAND_bytes(unsigned char *buf, int num);
DEPRECATEDIN_1_1_0(int RAND_pseudo_bytes(unsigned char *buf, int num))
void RAND_seed(const void *buf, int num);
-#if defined(__ANDROID__) && defined(__NDK_FPABI__)
+# if defined(__ANDROID__) && defined(__NDK_FPABI__)
__NDK_FPABI__ /* __attribute__((pcs("aapcs"))) on ARM */
-#endif
+# endif
void RAND_add(const void *buf, int num, double randomness);
int RAND_load_file(const char *file, long max_bytes);
int RAND_write_file(const char *file);
@@ -59,15 +59,16 @@ int RAND_egd_bytes(const char *path, int bytes);
# endif
int RAND_poll(void);
-#if defined(_WIN32) && (defined(BASETYPES) || defined(_WINDEF_H))
+# if defined(_WIN32) && (defined(BASETYPES) || defined(_WINDEF_H))
/* application has to include <windows.h> in order to use these */
DEPRECATEDIN_1_1_0(void RAND_screen(void))
DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM))
-#endif
+# endif
int ERR_load_RAND_strings(void);
-# ifdef __cplusplus
+#ifdef __cplusplus
}
-# endif
+#endif
+
#endif
diff --git a/include/openssl/randerr.h b/include/openssl/randerr.h
index 244fd0e..79c652f 100644
--- a/include/openssl/randerr.h
+++ b/include/openssl/randerr.h
@@ -22,17 +22,42 @@ int ERR_load_RAND_strings(void);
/*
* RAND function codes.
*/
+# define RAND_F_DRBG_BYTES 101
+# define RAND_F_DRBG_GET_ENTROPY 105
+# define RAND_F_GET_ENTROPY 106
# define RAND_F_RAND_BYTES 100
-# define RAND_F_RAND_LOAD_FILE 101
-# define RAND_F_RAND_WRITE_FILE 102
+# define RAND_F_RAND_DRBG_GENERATE 107
+# define RAND_F_RAND_DRBG_INSTANTIATE 108
+# define RAND_F_RAND_DRBG_NEW 109
+# define RAND_F_RAND_DRBG_RESEED 110
+# define RAND_F_RAND_DRBG_SET 104
+# define RAND_F_RAND_LOAD_FILE 111
+# define RAND_F_RAND_WRITE_FILE 112
/*
* RAND reason codes.
*/
-# define RAND_R_CANNOT_OPEN_FILE 102
+# define RAND_R_ADDITIONAL_INPUT_TOO_LONG 102
+# define RAND_R_ALREADY_INSTANTIATED 103
+# define RAND_R_CANNOT_OPEN_FILE 121
+# define RAND_R_DRBG_NOT_INITIALISED 104
+# define RAND_R_ERROR_INITIALISING_DRBG 107
+# define RAND_R_ERROR_INSTANTIATING_DRBG 108
+# define RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 109
+# define RAND_R_ERROR_RETRIEVING_ENTROPY 110
+# define RAND_R_ERROR_RETRIEVING_NONCE 111
# define RAND_R_FUNC_NOT_IMPLEMENTED 101
-# define RAND_R_FWRITE_ERROR 103
-# define RAND_R_NOT_A_REGULAR_FILE 104
+# define RAND_R_FWRITE_ERROR 123
+# define RAND_R_GENERATE_ERROR 112
+# define RAND_R_INTERNAL_ERROR 113
+# define RAND_R_IN_ERROR_STATE 114
+# define RAND_R_NOT_A_REGULAR_FILE 122
+# define RAND_R_NOT_INSTANTIATED 115
+# define RAND_R_PERSONALISATION_STRING_TOO_LONG 116
# define RAND_R_PRNG_NOT_SEEDED 100
+# define RAND_R_REQUEST_TOO_LARGE_FOR_DRBG 117
+# define RAND_R_RESEED_ERROR 118
+# define RAND_R_SELFTEST_FAILURE 119
+# define RAND_R_UNSUPPORTED_DRBG_TYPE 120
#endif
diff --git a/test/build.info b/test/build.info
index 34c81a4..9664443 100644
--- a/test/build.info
+++ b/test/build.info
@@ -42,7 +42,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
pkey_meth_test uitest cipherbytes_test asn1_encode_test \
- x509_time_test x509_dup_cert_test x509_check_cert_pkey_test recordlentest \
+ x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
+ recordlentest drbgtest \
time_offset_test pemtest ssl_cert_table_internal_test
SOURCE[aborttest]=aborttest.c
@@ -302,6 +303,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
INCLUDE[recordlentest]=../include .
DEPEND[recordlentest]=../libcrypto ../libssl libtestutil.a
+ SOURCE[drbgtest]=drbgtest.c
+ INCLUDE[drbgtest]=../include . ..
+ DEPEND[drbgtest]=../libcrypto libtestutil.a
+
SOURCE[x509_dup_cert_test]=x509_dup_cert_test.c
INCLUDE[x509_dup_cert_test]=../include
DEPEND[x509_dup_cert_test]=../libcrypto libtestutil.a
diff --git a/test/drbgtest.c b/test/drbgtest.c
new file mode 100644
index 0000000..80d0b8b
--- /dev/null
+++ b/test/drbgtest.c
@@ -0,0 +1,490 @@
+/*
+ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include "e_os.h"
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/obj_mac.h>
+#include <openssl/evp.h>
+#include <openssl/aes.h>
+#include "../crypto/rand/rand_lcl.h"
+
+#include "testutil.h"
+#include "drbgtest.h"
+
+typedef struct drbg_selftest_data_st {
+ int post;
+ int nid;
+ unsigned int flags;
+
+ /* KAT data for no PR */
+ const unsigned char *ent;
+ size_t entlen;
+ const unsigned char *nonce;
+ size_t noncelen;
+ const unsigned char *pers;
+ size_t perslen;
+ const unsigned char *adin;
+ size_t adinlen;
+ const unsigned char *entreseed;
+ size_t entreseedlen;
+ const unsigned char *adinreseed;
+ size_t adinreseedlen;
+ const unsigned char *adin2;
+ size_t adin2len;
+ const unsigned char *expected;
+ size_t exlen;
+ const unsigned char *kat2;
+ size_t kat2len;
+
+ /* KAT data for PR */
+ const unsigned char *ent_pr;
+ size_t entlen_pr;
+ const unsigned char *nonce_pr;
+ size_t noncelen_pr;
+ const unsigned char *pers_pr;
+ size_t perslen_pr;
+ const unsigned char *adin_pr;
+ size_t adinlen_pr;
+ const unsigned char *entpr_pr;
+ size_t entprlen_pr;
+ const unsigned char *ading_pr;
+ size_t adinglen_pr;
+ const unsigned char *entg_pr;
+ size_t entglen_pr;
+ const unsigned char *kat_pr;
+ size_t katlen_pr;
+ const unsigned char *kat2_pr;
+ size_t kat2len_pr;
+} DRBG_SELFTEST_DATA;
+
+#define make_drbg_test_data(nid, flag, pr, post) {\
+ post, nid, flag, \
+ pr##_entropyinput, sizeof(pr##_entropyinput), \
+ pr##_nonce, sizeof(pr##_nonce), \
+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
+ pr##_additionalinput, sizeof(pr##_additionalinput), \
+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
+ pr##_returnedbits, sizeof(pr##_returnedbits), \
+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \
+ }
+
+#define make_drbg_test_data_df(nid, pr, p) \
+ make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_USE_DF, pr, p)
+
+static DRBG_SELFTEST_DATA drbg_test[] = {
+ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
+ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
+ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
+ make_drbg_test_data (NID_aes_128_ctr, 0, aes_128_no_df, 0),
+ make_drbg_test_data (NID_aes_192_ctr, 0, aes_192_no_df, 0),
+ make_drbg_test_data (NID_aes_256_ctr, 0, aes_256_no_df, 1),
+};
+
+static int app_data_index;
+
+/*
+ * Test context data, attached as appdata to the DRBG_CTX
+ */
+typedef struct test_ctx_st {
+ const unsigned char *ent;
+ size_t entlen;
+ int entcnt;
+ const unsigned char *nonce;
+ size_t noncelen;
+ int noncecnt;
+} TEST_CTX;
+
+static size_t kat_entropy(DRBG_CTX *dctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(dctx, app_data_index);
+
+ t->entcnt++;
+ *pout = (unsigned char *)t->ent;
+ return t->entlen;
+}
+
+static size_t kat_nonce(DRBG_CTX *dctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(dctx, app_data_index);
+
+ t->noncecnt++;
+ *pout = (unsigned char *)t->nonce;
+ return t->noncelen;
+}
+
+static int uninstantiate(DRBG_CTX *dctx)
+{
+ int ret = dctx == NULL ? 1 : RAND_DRBG_uninstantiate(dctx);
+
+ ERR_clear_error();
+ return ret;
+}
+
+/*
+ * Do a single KAT test. Return 0 on failure.
+ */
+static int single_kat(DRBG_SELFTEST_DATA *td)
+{
+ DRBG_CTX *dctx = NULL;
+ TEST_CTX t;
+ int failures = 0;
+ unsigned char buff[1024];
+
+ /*
+ * Test without PR: Instantiate DRBG with test entropy, nonce and
+ * personalisation string.
+ */
+ if (!TEST_ptr(dctx = RAND_DRBG_new(td->nid, td->flags, NULL)))
+ return 0;
+ if (!TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL,
+ kat_nonce, NULL))) {
+ failures++;
+ goto err;
+ }
+ memset(&t, 0, sizeof(t));
+ t.ent = td->ent;
+ t.entlen = td->entlen;
+ t.nonce = td->nonce;
+ t.noncelen = td->noncelen;
+ RAND_DRBG_set_ex_data(dctx, app_data_index, &t);
+
+ if (!TEST_true(RAND_DRBG_instantiate(dctx, td->pers, td->perslen))
+ || !TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
+ td->adin, td->adinlen))
+ || !TEST_mem_eq(td->expected, td->exlen, buff, td->exlen))
+ failures++;
+
+ /* Reseed DRBG with test entropy and additional input */
+ t.ent = td->entreseed;
+ t.entlen = td->entreseedlen;
+ if (!TEST_true(RAND_DRBG_reseed(dctx, td->adinreseed, td->adinreseedlen)
+ || !TEST_true(RAND_DRBG_generate(dctx, buff, td->kat2len, 0,
+ td->adin2, td->adin2len))
+ || !TEST_mem_eq(td->kat2, td->kat2len, buff, td->kat2len)))
+ failures++;
+ uninstantiate(dctx);
+
+ /*
+ * Now test with PR: Instantiate DRBG with test entropy, nonce and
+ * personalisation string.
+ */
+ if (!TEST_true(RAND_DRBG_set(dctx, td->nid, td->flags))
+ || !TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL,
+ kat_nonce, NULL)))
+ failures++;
+ RAND_DRBG_set_ex_data(dctx, app_data_index, &t);
+ t.ent = td->ent_pr;
+ t.entlen = td->entlen_pr;
+ t.nonce = td->nonce_pr;
+ t.noncelen = td->noncelen_pr;
+ t.entcnt = 0;
+ t.noncecnt = 0;
+ if (!TEST_true(RAND_DRBG_instantiate(dctx, td->pers_pr, td->perslen_pr)))
+ failures++;
+
+ /*
+ * Now generate with PR: we need to supply entropy as this will
+ * perform a reseed operation.
+ */
+ t.ent = td->entpr_pr;
+ t.entlen = td->entprlen_pr;
+ if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->katlen_pr, 1,
+ td->adin_pr, td->adinlen_pr))
+ || !TEST_mem_eq(td->kat_pr, td->katlen_pr, buff, td->katlen_pr))
+ failures++;
+
+ /*
+ * Now generate again with PR: supply new entropy again.
+ */
+ t.ent = td->entg_pr;
+ t.entlen = td->entglen_pr;
+
+ if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->kat2len_pr, 1,
+ td->ading_pr, td->adinglen_pr))
+ || !TEST_mem_eq(td->kat2_pr, td->kat2len_pr,
+ buff, td->kat2len_pr))
+ failures++;
+
+err:
+ uninstantiate(dctx);
+ RAND_DRBG_free(dctx);
+ return failures == 0;
+}
+
+/*
+ * Initialise a DRBG based on selftest data
+ */
+static int init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td, TEST_CTX *t)
+{
+ if (!TEST_true(RAND_DRBG_set(dctx, td->nid, td->flags))
+ || !TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL,
+ kat_nonce, NULL)))
+ return 0;
+ RAND_DRBG_set_ex_data(dctx, app_data_index, t);
+ t->ent = td->ent;
+ t->entlen = td->entlen;
+ t->nonce = td->nonce;
+ t->noncelen = td->noncelen;
+ t->entcnt = 0;
+ t->noncecnt = 0;
+ return 1;
+}
+
+/*
+ * Initialise and instantiate DRBG based on selftest data
+ */
+static int instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
+ TEST_CTX *t)
+{
+ if (!TEST_true(init(dctx, td, t))
+ || !TEST_true(RAND_DRBG_instantiate(dctx, td->pers, td->perslen)))
+ return 0;
+ return 1;
+}
+
+/*
+ * Perform extensive error checking as required by SP800-90.
+ * Induce several failure modes and check an error condition is set.
+ */
+static int error_check(DRBG_SELFTEST_DATA *td)
+{
+ static char zero[sizeof(DRBG_CTX)];
+ DRBG_CTX *dctx = NULL;
+ TEST_CTX t;
+ unsigned char buff[1024];
+ unsigned int reseed_counter_tmp;
+ int ret = 0;
+
+ if (!TEST_ptr(dctx = RAND_DRBG_new(0, 0, NULL)))
+ goto err;
+
+ /*
+ * Personalisation string tests
+ */
+
+ /* Test detection of too large personlisation string */
+ if (!init(dctx, td, &t)
+ || RAND_DRBG_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0)
+ goto err;
+
+ /*
+ * Entropy source tests
+ */
+
+ /* Test entropy source failure detecion: i.e. returns no data */
+ t.entlen = 0;
+ if (TEST_int_le(RAND_DRBG_instantiate(dctx, td->pers, td->perslen), 0))
+ goto err;
+
+ /* Try to generate output from uninstantiated DRBG */
+ if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
+ td->adin, td->adinlen))
+ || !uninstantiate(dctx))
+ goto err;
+
+ /* Test insufficient entropy */
+ t.entlen = dctx->min_entropy - 1;
+ if (!init(dctx, td, &t)
+ || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
+ || !uninstantiate(dctx))
+ goto err;
+
+ /* Test too much entropy */
+ t.entlen = dctx->max_entropy + 1;
+ if (!init(dctx, td, &t)
+ || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
+ || !uninstantiate(dctx))
+ goto err;
+
+ /*
+ * Nonce tests
+ */
+
+ /* Test too small nonce */
+ if (dctx->min_nonce) {
+ t.noncelen = dctx->min_nonce - 1;
+ if (!init(dctx, td, &t)
+ || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
+ || !uninstantiate(dctx))
+ goto err;
+ }
+
+ /* Test too large nonce */
+ if (dctx->max_nonce) {
+ t.noncelen = dctx->max_nonce + 1;
+ if (!init(dctx, td, &t)
+ || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
+ || !uninstantiate(dctx))
+ goto err;
+ }
+
+ /* Instantiate with valid data, Check generation is now OK */
+ if (!instantiate(dctx, td, &t)
+ || !TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
+ td->adin, td->adinlen)))
+ goto err;
+
+ /* Request too much data for one request */
+ if (!TEST_false(RAND_DRBG_generate(dctx, buff, dctx->max_request + 1, 0,
+ td->adin, td->adinlen)))
+ goto err;
+
+ /* Try too large additional input */
+ if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
+ td->adin, dctx->max_adin + 1)))
+ goto err;
+
+ /*
+ * Check prediction resistance request fails if entropy source
+ * failure.
+ */
+ t.entlen = 0;
+ if (TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 1,
+ td->adin, td->adinlen))
+ || !uninstantiate(dctx))
+ goto err;
+
+ /* Instantiate again with valid data */
+ if (!instantiate(dctx, td, &t))
+ goto err;
+ reseed_counter_tmp = dctx->reseed_counter;
+ dctx->reseed_counter = dctx->reseed_interval;
+
+ /* Generate output and check entropy has been requested for reseed */
+ t.entcnt = 0;
+ if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
+ td->adin, td->adinlen))
+ || !TEST_int_eq(t.entcnt, 1)
+ || !TEST_int_eq(dctx->reseed_counter, reseed_counter_tmp + 1)
+ || !uninstantiate(dctx))
+ goto err;
+
+ /*
+ * Check prediction resistance request fails if entropy source
+ * failure.
+ */
+ t.entlen = 0;
+ if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 1,
+ td->adin, td->adinlen))
+ || !uninstantiate(dctx))
+ goto err;
+
+ /* Test reseed counter works */
+ if (!instantiate(dctx, td, &t))
+ goto err;
+ reseed_counter_tmp = dctx->reseed_counter;
+ dctx->reseed_counter = dctx->reseed_interval;
+
+ /* Generate output and check entropy has been requested for reseed */
+ t.entcnt = 0;
+ if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
+ td->adin, td->adinlen))
+ || !TEST_int_eq(t.entcnt, 1)
+ || !TEST_int_eq(dctx->reseed_counter, reseed_counter_tmp + 1)
+ || !uninstantiate(dctx))
+ goto err;
+
+ /*
+ * Explicit reseed tests
+ */
+
+ /* Test explicit reseed with too large additional input */
+ if (!init(dctx, td, &t)
+ || RAND_DRBG_reseed(dctx, td->adin, dctx->max_adin + 1) > 0)
+ goto err;
+
+ /* Test explicit reseed with entropy source failure */
+ t.entlen = 0;
+ if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0)
+ || !uninstantiate(dctx))
+ goto err;
+
+ /* Test explicit reseed with too much entropy */
+ if (!init(dctx, td, &t))
+ goto err;
+ t.entlen = dctx->max_entropy + 1;
+ if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0)
+ || !uninstantiate(dctx))
+ goto err;
+
+ /* Test explicit reseed with too little entropy */
+ if (!init(dctx, td, &t))
+ goto err;
+ t.entlen = dctx->min_entropy - 1;
+ if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0)
+ || !uninstantiate(dctx))
+ goto err;
+
+ /* Standard says we have to check uninstantiate really zeroes */
+ if (!TEST_mem_eq(zero, sizeof(dctx->ctr), &dctx->ctr, sizeof(dctx->ctr)))
+ goto err;
+
+ ret = 1;
+
+err:
+ uninstantiate(dctx);
+ RAND_DRBG_free(dctx);
+ return ret;
+}
+
+static int test_kats(int i)
+{
+ DRBG_SELFTEST_DATA *td = &drbg_test[i];
+ int rv = 0;
+
+ if (!single_kat(td))
+ goto err;
+ rv = 1;
+
+err:
+ return rv;
+}
+
+static int test_error_checks(int i)
+{
+ DRBG_SELFTEST_DATA *td = &drbg_test[i];
+ int rv = 0;
+
+ if (error_check(td))
+ goto err;
+ rv = 1;
+
+err:
+ return rv;
+}
+
+
+int test_main(int argc, char *argv[])
+{
+ if (argc != 1) {
+ TEST_error("Usage: %s", argv[0]);
+ return EXIT_FAILURE;
+ }
+ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
+
+ ADD_ALL_TESTS(test_kats, OSSL_NELEM(drbg_test));
+ ADD_ALL_TESTS(test_error_checks, OSSL_NELEM(drbg_test));
+ return run_tests(argv[0]);
+}
diff --git a/test/drbgtest.h b/test/drbgtest.h
new file mode 100644
index 0000000..c11b8a2
--- /dev/null
+++ b/test/drbgtest.h
@@ -0,0 +1,579 @@
+/*
+ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Known answer tests for SP800-90 DRBG CTR mode.
+ */
+
+
+/*
+ * AES-128 use df PR
+ */
+static const unsigned char aes_128_use_df_pr_entropyinput[] = {
+ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
+ 0xc8, 0xdb, 0xff, 0x12
+};
+static const unsigned char aes_128_use_df_pr_nonce[] = {
+ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
+};
+static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
+ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
+ 0xd7, 0xd7, 0x01, 0x67
+};
+static const unsigned char aes_128_use_df_pr_additionalinput[] = {
+ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
+ 0x9a, 0x47, 0x08, 0x76
+};
+static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
+ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
+ 0x09, 0xfb, 0xa3, 0xb6
+};
+static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
+ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
+ 0x66, 0x1c, 0xea, 0x5b
+};
+static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
+ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
+ 0x3f, 0x5e, 0x31, 0x06
+};
+static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
+ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
+ 0xa7, 0xe3, 0xa8, 0x67
+};
+static const unsigned char aes_128_use_df_pr_returnedbits[] = {
+ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
+ 0x0f, 0x38, 0x43, 0xc6
+};
+
+
+/*
+ * AES-128 use df no PR
+ */
+static const unsigned char aes_128_use_df_entropyinput[] = {
+ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
+ 0x9d, 0x7d, 0x1c, 0x9b
+};
+static const unsigned char aes_128_use_df_nonce[] = {
+ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96,
+};
+static const unsigned char aes_128_use_df_personalizationstring[] = {
+ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
+ 0x38, 0x66, 0xba, 0x1b
+};
+static const unsigned char aes_128_use_df_additionalinput[] = {
+ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
+ 0xb5, 0xe2, 0xb2, 0x41
+};
+static const unsigned char aes_128_use_df_int_returnedbits[] = {
+ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
+ 0xe7, 0x57, 0x11, 0xb4
+};
+static const unsigned char aes_128_use_df_entropyinputreseed[] = {
+ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
+ 0xc7, 0xc4, 0x9e, 0x39
+};
+static const unsigned char aes_128_use_df_additionalinputreseed[] = {
+ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
+ 0xc8, 0x93, 0xfa, 0x84
+};
+static const unsigned char aes_128_use_df_additionalinput2[] = {
+ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
+ 0x06, 0x0c, 0x15, 0x2c
+};
+static const unsigned char aes_128_use_df_returnedbits[] = {
+ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
+ 0x46, 0x81, 0xc7, 0x19
+};
+
+
+/*
+ * AES-192 use df PR
+ */
+static const unsigned char aes_192_use_df_pr_entropyinput[] = {
+ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
+ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
+};
+static const unsigned char aes_192_use_df_pr_nonce[] = {
+ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
+ 0xd1, 0x80, 0x78, 0xfa
+};
+static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
+ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
+ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
+ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
+};
+static const unsigned char aes_192_use_df_pr_additionalinput[] = {
+ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
+ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
+ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
+};
+static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
+ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
+ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5,
+};
+static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
+ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
+ 0x19, 0x30, 0x6b, 0x67
+};
+static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
+ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
+ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
+ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
+};
+static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
+ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
+ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e,
+};
+static const unsigned char aes_192_use_df_pr_returnedbits[] = {
+ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
+ 0x7e, 0x1a, 0x2b, 0x83
+};
+
+
+/*
+ * AES-192 use df no PR
+ */
+static const unsigned char aes_192_use_df_entropyinput[] = {
+ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
+ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b,
+};
+static const unsigned char aes_192_use_df_nonce[] = {
+ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
+ 0x77, 0xd7, 0x41, 0x0e
+};
+static const unsigned char aes_192_use_df_personalizationstring[] = {
+ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
+ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
+ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
+};
+static const unsigned char aes_192_use_df_additionalinput[] = {
+ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
+ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
+ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
+};
+static const unsigned char aes_192_use_df_int_returnedbits[] = {
+ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
+ 0xb7, 0xed, 0xe9, 0xea
+};
+static const unsigned char aes_192_use_df_entropyinputreseed[] = {
+ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
+ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01,
+};
+static const unsigned char aes_192_use_df_additionalinputreseed[] = {
+ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
+ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
+ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
+};
+static const unsigned char aes_192_use_df_additionalinput2[] = {
+ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
+ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
+ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
+};
+static const unsigned char aes_192_use_df_returnedbits[] = {
+ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
+ 0x1a, 0xf9, 0x13, 0x28
+};
+
+
+/*
+ * AES-256 use df PR
+ */
+static const unsigned char aes_256_use_df_pr_entropyinput[] = {
+ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
+ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
+ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
+};
+static const unsigned char aes_256_use_df_pr_nonce[] = {
+ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
+ 0x2b, 0x36, 0xff, 0xa4
+};
+static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
+ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
+ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
+ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
+};
+static const unsigned char aes_256_use_df_pr_additionalinput[] = {
+ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
+ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
+ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
+};
+static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
+ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
+ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
+ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
+};
+static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
+ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
+ 0x17, 0xab, 0x3c, 0x7a
+};
+static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
+ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
+ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
+ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
+};
+static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
+ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
+ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
+ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
+};
+static const unsigned char aes_256_use_df_pr_returnedbits[] = {
+ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
+ 0xd9, 0xe2, 0x97, 0x00
+};
+
+
+/*
+ * AES-256 use df no PR
+ */
+static const unsigned char aes_256_use_df_entropyinput[] = {
+ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
+ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
+ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
+};
+static const unsigned char aes_256_use_df_nonce[] = {
+ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
+ 0x4c, 0x44, 0x84, 0x40
+};
+static const unsigned char aes_256_use_df_personalizationstring[] = {
+ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
+ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
+ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
+};
+static const unsigned char aes_256_use_df_additionalinput[] = {
+ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
+ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
+ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
+};
+static const unsigned char aes_256_use_df_int_returnedbits[] = {
+ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
+ 0x28, 0x0c, 0x3b, 0xc1
+};
+static const unsigned char aes_256_use_df_entropyinputreseed[] = {
+ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
+ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
+ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
+};
+static const unsigned char aes_256_use_df_additionalinputreseed[] = {
+ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
+ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
+ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
+};
+static const unsigned char aes_256_use_df_additionalinput2[] = {
+ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
+ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
+ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
+};
+static const unsigned char aes_256_use_df_returnedbits[] = {
+ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
+ 0xfa, 0xfd, 0x35, 0x5e
+};
+
+
+/*
+ * AES-128 no df PR
+ */
+static const unsigned char aes_128_no_df_pr_entropyinput[] = {
+ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
+ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
+ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
+};
+static const unsigned char aes_128_no_df_pr_nonce[] = {
+ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1,
+};
+static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
+ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
+ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
+ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
+};
+static const unsigned char aes_128_no_df_pr_additionalinput[] = {
+ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
+ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
+ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
+};
+static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
+ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
+ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
+ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
+};
+static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
+ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
+ 0xaf, 0x19, 0x32, 0x16
+};
+static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
+ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
+ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
+ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
+};
+static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
+ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
+ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
+ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
+};
+static const unsigned char aes_128_no_df_pr_returnedbits[] = {
+ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
+ 0x57, 0x82, 0x33, 0xaf
+};
+
+
+/*
+ * AES-128 no df no PR
+ */
+static const unsigned char aes_128_no_df_entropyinput[] = {
+ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
+ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
+ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
+};
+static const unsigned char aes_128_no_df_nonce[] = {
+ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13,
+};
+static const unsigned char aes_128_no_df_personalizationstring[] = {
+ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
+ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
+ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
+};
+static const unsigned char aes_128_no_df_additionalinput[] = {
+ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
+ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
+ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
+};
+static const unsigned char aes_128_no_df_int_returnedbits[] = {
+ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
+ 0xed, 0x3e, 0x65, 0xc2
+};
+static const unsigned char aes_128_no_df_entropyinputreseed[] = {
+ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
+ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
+ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
+};
+static const unsigned char aes_128_no_df_additionalinputreseed[] = {
+ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
+ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
+ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
+};
+static const unsigned char aes_128_no_df_additionalinput2[] = {
+ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
+ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
+ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
+};
+static const unsigned char aes_128_no_df_returnedbits[] = {
+ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
+ 0x81, 0x37, 0x19, 0xd4
+};
+
+
+/*
+ * AES-192 no df PR
+ */
+static const unsigned char aes_192_no_df_pr_entropyinput[] = {
+ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
+ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
+ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
+ 0x17, 0x1f, 0x8d, 0x9a
+};
+static const unsigned char aes_192_no_df_pr_nonce[] = {
+ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
+ 0x61, 0x5c, 0xee, 0x0f
+};
+static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
+ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
+ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
+ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
+ 0x57, 0x2e, 0xe7, 0x55
+};
+static const unsigned char aes_192_no_df_pr_additionalinput[] = {
+ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
+ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
+ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
+ 0xe2, 0xd0, 0x0c, 0x2f
+};
+static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
+ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
+ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
+ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
+ 0x1d, 0x30, 0xb3, 0x78
+};
+static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
+ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
+ 0x7e, 0x3e, 0x0c, 0x26
+};
+static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
+ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
+ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
+ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
+ 0x0c, 0x4b, 0xee, 0x6e
+};
+static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
+ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
+ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
+ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
+ 0x8e, 0x0a, 0x83, 0xdf
+};
+static const unsigned char aes_192_no_df_pr_returnedbits[] = {
+ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
+ 0xb9, 0xa1, 0x21, 0x68
+};
+
+
+/*
+ * AES-192 no df no PR
+ */
+static const unsigned char aes_192_no_df_entropyinput[] = {
+ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
+ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
+ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
+ 0x94, 0xc3, 0x59, 0x63
+};
+static const unsigned char aes_192_no_df_nonce[] = {
+ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
+ 0x29, 0xfd, 0x45, 0x71
+};
+static const unsigned char aes_192_no_df_personalizationstring[] = {
+ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
+ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
+ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
+ 0x3b, 0x88, 0xce, 0x35
+};
+static const unsigned char aes_192_no_df_additionalinput[] = {
+ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
+ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
+ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
+ 0x3e, 0xbe, 0xd4, 0x8e
+};
+static const unsigned char aes_192_no_df_int_returnedbits[] = {
+ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
+ 0x45, 0xe7, 0x4a, 0xc5
+};
+static const unsigned char aes_192_no_df_entropyinputreseed[] = {
+ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
+ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
+ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
+ 0x9b, 0xcb, 0x7e, 0x75
+};
+static const unsigned char aes_192_no_df_additionalinputreseed[] = {
+ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
+ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
+ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
+ 0x5d, 0x7a, 0x25, 0x79
+};
+static const unsigned char aes_192_no_df_additionalinput2[] = {
+ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
+ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
+ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
+ 0x91, 0x6a, 0xe3, 0x5f
+};
+static const unsigned char aes_192_no_df_returnedbits[] = {
+ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
+ 0x66, 0x67, 0x2c, 0x92
+};
+
+
+/*
+ * AES-256 no df PR
+ */
+static const unsigned char aes_256_no_df_pr_entropyinput[] = {
+ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
+ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
+ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
+ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c,
+};
+static const unsigned char aes_256_no_df_pr_nonce[] = {
+ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
+ 0xcc, 0x4b, 0xee, 0x2e
+};
+static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
+ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
+ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
+ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
+ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06,
+};
+static const unsigned char aes_256_no_df_pr_additionalinput[] = {
+ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
+ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
+ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
+ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e,
+};
+static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
+ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
+ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
+ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
+ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f,
+};
+static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
+ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
+ 0x79, 0x60, 0x93, 0xcf
+};
+static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
+ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
+ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
+ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
+ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb,
+};
+static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
+ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
+ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
+ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
+ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f,
+};
+static const unsigned char aes_256_no_df_pr_returnedbits[] = {
+ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
+ 0x2d, 0x5f, 0x4a, 0x46
+};
+
+
+/*
+ * AES-256 no df no PR
+ */
+static const unsigned char aes_256_no_df_entropyinput[] = {
+ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
+ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
+ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
+ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3,
+};
+static const unsigned char aes_256_no_df_nonce[] = {
+ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
+ 0x43, 0x96, 0xb9, 0xf0
+};
+static const unsigned char aes_256_no_df_personalizationstring[] = {
+ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
+ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
+ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
+ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d,
+};
+static const unsigned char aes_256_no_df_additionalinput[] = {
+ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
+ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
+ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
+ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17,
+};
+static const unsigned char aes_256_no_df_int_returnedbits[] = {
+ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
+ 0xd2, 0x25, 0x75, 0x0e
+};
+static const unsigned char aes_256_no_df_entropyinputreseed[] = {
+ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
+ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
+ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
+ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb,
+};
+static const unsigned char aes_256_no_df_additionalinputreseed[] = {
+ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
+ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
+ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
+ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29,
+};
+static const unsigned char aes_256_no_df_additionalinput2[] = {
+ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
+ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
+ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
+ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6,
+};
+static const unsigned char aes_256_no_df_returnedbits[] = {
+ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
+ 0xf6, 0x02, 0x32, 0xe2
+};
diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t
index 3b175fa..64840db 100644
--- a/test/recipes/05-test_rand.t
+++ b/test/recipes/05-test_rand.t
@@ -6,7 +6,12 @@
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
+use strict;
+use warnings;
+use OpenSSL::Test;
-use OpenSSL::Test::Simple;
+plan tests => 2;
+setup("test_rand");
-simple_test("test_rand", "randtest", "rand");
+ok(run(test(["randtest"])));
+ok(run(test(["drbgtest"])));
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 4369694..136fbaf 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4345,3 +4345,16 @@ OSSL_STORE_LOADER_get0_engine 4287 1_1_1 EXIST::FUNCTION:
OPENSSL_fork_prepare 4288 1_1_1 EXIST:UNIX:FUNCTION:
OPENSSL_fork_parent 4289 1_1_1 EXIST:UNIX:FUNCTION:
OPENSSL_fork_child 4290 1_1_1 EXIST:UNIX:FUNCTION:
+RAND_drbg 4291 1_1_1 EXIST::FUNCTION:
+RAND_DRBG_instantiate 4292 1_1_1 EXIST::FUNCTION:
+RAND_DRBG_uninstantiate 4293 1_1_1 EXIST::FUNCTION:
+RAND_DRBG_get_default 4294 1_1_1 EXIST::FUNCTION:
+RAND_DRBG_set 4295 1_1_1 EXIST::FUNCTION:
+RAND_DRBG_set_callbacks 4296 1_1_1 EXIST::FUNCTION:
+RAND_DRBG_new 4297 1_1_1 EXIST::FUNCTION:
+RAND_DRBG_set_reseed_interval 4298 1_1_1 EXIST::FUNCTION:
+RAND_DRBG_free 4299 1_1_1 EXIST::FUNCTION:
+RAND_DRBG_generate 4300 1_1_1 EXIST::FUNCTION:
+RAND_DRBG_reseed 4301 1_1_1 EXIST::FUNCTION:
+RAND_DRBG_set_ex_data 4302 1_1_1 EXIST::FUNCTION:
+RAND_DRBG_get_ex_data 4303 1_1_1 EXIST::FUNCTION:
diff --git a/util/mkdef.pl b/util/mkdef.pl
index 6315a5b..b3eb6b3 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -246,6 +246,7 @@ my $crypto ="include/internal/dso.h";
$crypto.=" include/internal/o_dir.h";
$crypto.=" include/internal/o_str.h";
$crypto.=" include/internal/err.h";
+$crypto.=" include/internal/rand.h";
foreach my $f ( glob(catfile($config{sourcedir},'include/openssl/*.h')) ) {
my $fn = "include/openssl/" . lc(basename($f));
$crypto .= " $fn" if !defined $skipthese{$fn} && $f !~ m@/[a-z]+err\.h$@;
More information about the openssl-commits
mailing list