From 12fb8c3d2dd00f3d4f1b084385403d26ed64a596 Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Tue, 27 Jun 2017 12:04:37 -0400 Subject: [PATCH] Add DRBG random method Ported from the last FIPS release, with DUAL_EC and SHA1 and the self-tests removed. Since only AES-CTR is supported, other code simplifications were done. Removed the "entropy blocklen" concept. Moved internal functions to new include/internal/rand.h. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/3789) --- crypto/err/openssl.txt | 35 ++- crypto/rand/build.info | 2 +- crypto/rand/drbg_lib.c | 349 ++++++++++++++++++++++ crypto/rand/drbg_rand.c | 449 ++++++++++++++++++++++++++++ crypto/rand/ossl_rand.c | 52 ++-- crypto/rand/rand_err.c | 38 +++ crypto/rand/rand_lcl.h | 86 +++++- crypto/rand/rand_lib.c | 1 + include/internal/rand.h | 50 ++++ include/openssl/crypto.h | 3 +- include/openssl/ossl_typ.h | 1 + include/openssl/rand.h | 19 +- include/openssl/randerr.h | 35 ++- test/build.info | 7 +- test/drbgtest.c | 490 ++++++++++++++++++++++++++++++ test/drbgtest.h | 579 ++++++++++++++++++++++++++++++++++++ test/recipes/05-test_rand.t | 9 +- util/libcrypto.num | 13 + util/mkdef.pl | 1 + 19 files changed, 2165 insertions(+), 54 deletions(-) create mode 100644 crypto/rand/drbg_lib.c create mode 100644 crypto/rand/drbg_rand.c create mode 100644 include/internal/rand.h create mode 100644 test/drbgtest.c create mode 100644 test/drbgtest.h diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index f8428706d2..d8fcb9ac60 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -860,9 +860,17 @@ PKCS7_F_PKCS7_SIGNER_INFO_SIGN:139:PKCS7_SIGNER_INFO_sign PKCS7_F_PKCS7_SIGN_ADD_SIGNER:137:PKCS7_sign_add_signer PKCS7_F_PKCS7_SIMPLE_SMIMECAP:119:PKCS7_simple_smimecap PKCS7_F_PKCS7_VERIFY:117:PKCS7_verify +RAND_F_DRBG_BYTES:101:drbg_bytes +RAND_F_DRBG_GET_ENTROPY:105:drbg_get_entropy +RAND_F_GET_ENTROPY:106:get_entropy RAND_F_RAND_BYTES:100:RAND_bytes -RAND_F_RAND_LOAD_FILE:101:RAND_load_file -RAND_F_RAND_WRITE_FILE:102:RAND_write_file +RAND_F_RAND_DRBG_GENERATE:107:RAND_DRBG_generate +RAND_F_RAND_DRBG_INSTANTIATE:108:RAND_DRBG_instantiate +RAND_F_RAND_DRBG_NEW:109:RAND_DRBG_new +RAND_F_RAND_DRBG_RESEED:110:RAND_DRBG_reseed +RAND_F_RAND_DRBG_SET:104:RAND_DRBG_set +RAND_F_RAND_LOAD_FILE:111:RAND_load_file +RAND_F_RAND_WRITE_FILE:112:RAND_write_file RSA_F_CHECK_PADDING_MD:140:check_padding_md RSA_F_ENCODE_PKCS1:146:encode_pkcs1 RSA_F_INT_RSA_VERIFY:145:int_rsa_verify @@ -2098,11 +2106,28 @@ PKCS7_R_UNSUPPORTED_CIPHER_TYPE:111:unsupported cipher type PKCS7_R_UNSUPPORTED_CONTENT_TYPE:112:unsupported content type PKCS7_R_WRONG_CONTENT_TYPE:113:wrong content type PKCS7_R_WRONG_PKCS7_TYPE:114:wrong pkcs7 type -RAND_R_CANNOT_OPEN_FILE:102:Cannot open file +RAND_R_ADDITIONAL_INPUT_TOO_LONG:102:additional input too long +RAND_R_ALREADY_INSTANTIATED:103:already instantiated +RAND_R_CANNOT_OPEN_FILE:121:Cannot open file +RAND_R_DRBG_NOT_INITIALISED:104:drbg not initialised +RAND_R_ERROR_INITIALISING_DRBG:107:error initialising drbg +RAND_R_ERROR_INSTANTIATING_DRBG:108:error instantiating drbg +RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT:109:error retrieving additional input +RAND_R_ERROR_RETRIEVING_ENTROPY:110:error retrieving entropy +RAND_R_ERROR_RETRIEVING_NONCE:111:error retrieving nonce RAND_R_FUNC_NOT_IMPLEMENTED:101:Function not implemented -RAND_R_FWRITE_ERROR:103:Error writing file -RAND_R_NOT_A_REGULAR_FILE:104:Not a regular file +RAND_R_FWRITE_ERROR:123:Error writing file +RAND_R_GENERATE_ERROR:112:generate error +RAND_R_INTERNAL_ERROR:113:internal error +RAND_R_IN_ERROR_STATE:114:in error state +RAND_R_NOT_A_REGULAR_FILE:122:Not a regular file +RAND_R_NOT_INSTANTIATED:115:not instantiated +RAND_R_PERSONALISATION_STRING_TOO_LONG:116:personalisation string too long RAND_R_PRNG_NOT_SEEDED:100:PRNG not seeded +RAND_R_REQUEST_TOO_LARGE_FOR_DRBG:117:request too large for drbg +RAND_R_RESEED_ERROR:118:reseed error +RAND_R_SELFTEST_FAILURE:119:selftest failure +RAND_R_UNSUPPORTED_DRBG_TYPE:120:unsupported drbg type RSA_R_ALGORITHM_MISMATCH:100:algorithm mismatch RSA_R_BAD_E_VALUE:101:bad e value RSA_R_BAD_FIXED_HEADER_DECRYPT:102:bad fixed header decrypt diff --git a/crypto/rand/build.info b/crypto/rand/build.info index 9e0a90b73d..f011d78d88 100644 --- a/crypto/rand/build.info +++ b/crypto/rand/build.info @@ -1,4 +1,4 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ ossl_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c \ - rand_win.c rand_unix.c rand_vms.c + rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_rand.c diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c new file mode 100644 index 0000000000..b9161ab23c --- /dev/null +++ b/crypto/rand/drbg_lib.c @@ -0,0 +1,349 @@ +/* + * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "rand_lcl.h" + +/* + * Support framework for NIST SP 800-90A DRBG, AES-CTR mode. + */ + +/* + * Get entropy from the existing callback. This is mainly used for KATs. + */ +static size_t get_entropy(DRBG_CTX *dctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + if (dctx->get_entropy != NULL) + return dctx->get_entropy(dctx, pout, entropy, min_len, max_len); + /* TODO: Get from parent if it exists. */ + return 0; +} + +/* + * Cleanup entropy. + */ +static void cleanup_entropy(DRBG_CTX *dctx, unsigned char *out, size_t olen) +{ + if (dctx->cleanup_entropy != NULL) + dctx->cleanup_entropy(dctx, out, olen); +} + +/* + * The OpenSSL model is to have new and free functions, and that new + * does all initialization. That is not the NIST model, which has + * instantiation and un-instantiate, and re-use within a new/free + * lifecycle. (No doubt this comes from the desire to support hardware + * DRBG, where allocation of resources on something like an HSM is + * a much bigger deal than just re-setting an allocated resource.) + * + * The DRBG_CTX is OpenSSL's opaque pointer to an instance of the + * DRBG. + */ + +/* + * Set/initialize |dctx| to be of type |nid|, with optional |flags|. + * Return -2 if the type is not supported, 1 on success and -1 on + * failure. + */ +int RAND_DRBG_set(DRBG_CTX *dctx, int nid, unsigned int flags) +{ + int ret = 1; + + dctx->status = DRBG_STATUS_UNINITIALISED; + dctx->flags = flags; + dctx->nid = nid; + + switch (nid) { + default: + RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE); + return -2; + case 0: + /* Uninitialized; that's okay. */ + return 1; + case NID_aes_128_ctr: + case NID_aes_192_ctr: + case NID_aes_256_ctr: + ret = ctr_init(dctx); + break; + } + + if (ret < 0) + RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG); + return ret; +} + +/* + * Allocate memory and initialize a new DRBG. The |parent|, if not + * NULL, will be used to auto-seed this DRBG_CTX as needed. + */ +DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent) +{ + DRBG_CTX *dctx = OPENSSL_zalloc(sizeof(*dctx)); + + if (dctx == NULL) { + RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE); + return NULL; + } + + dctx->parent = parent; + if (RAND_DRBG_set(dctx, type, flags) < 0) { + OPENSSL_free(dctx); + return NULL; + } + return dctx; +} + +/* + * Uninstantiate |dctx| and free all memory. + */ +void RAND_DRBG_free(DRBG_CTX *dctx) +{ + if (dctx == NULL) + return; + + ctr_uninstantiate(dctx); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, dctx, &dctx->ex_data); + + /* Don't free up default DRBG */ + if (dctx == RAND_DRBG_get_default()) { + memset(dctx, 0, sizeof(DRBG_CTX)); + dctx->nid = 0; + dctx->status = DRBG_STATUS_UNINITIALISED; + } else { + OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr)); + OPENSSL_free(dctx); + } +} + +/* + * Instantiate |dctx|, after it has been initialized. Use |pers| and + * |perslen| as prediction-resistance input. + */ +int RAND_DRBG_instantiate(DRBG_CTX *dctx, + const unsigned char *pers, size_t perslen) +{ + size_t entlen = 0, noncelen = 0; + unsigned char *nonce = NULL, *entropy = NULL; + int r = 0; + + if (perslen > dctx->max_pers) { + r = RAND_R_PERSONALISATION_STRING_TOO_LONG; + goto end; + } + if (dctx->status != DRBG_STATUS_UNINITIALISED) { + r = dctx->status == DRBG_STATUS_ERROR ? RAND_R_IN_ERROR_STATE + : RAND_R_ALREADY_INSTANTIATED; + goto end; + } + + dctx->status = DRBG_STATUS_ERROR; + entlen = get_entropy(dctx, &entropy, dctx->strength, + dctx->min_entropy, dctx->max_entropy); + if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { + r = RAND_R_ERROR_RETRIEVING_ENTROPY; + goto end; + } + + if (dctx->max_nonce > 0 && dctx->get_nonce != NULL) { + noncelen = dctx->get_nonce(dctx, &nonce, + dctx->strength / 2, + dctx->min_nonce, dctx->max_nonce); + + if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) { + r = RAND_R_ERROR_RETRIEVING_NONCE; + goto end; + } + } + + if (!ctr_instantiate(dctx, entropy, entlen, + nonce, noncelen, pers, perslen)) { + r = RAND_R_ERROR_INSTANTIATING_DRBG; + goto end; + } + + dctx->status = DRBG_STATUS_READY; + dctx->reseed_counter = 1; + +end: + if (entropy != NULL && dctx->cleanup_entropy != NULL) + dctx->cleanup_entropy(dctx, entropy, entlen); + if (nonce != NULL && dctx->cleanup_nonce!= NULL ) + dctx->cleanup_nonce(dctx, nonce, noncelen); + if (dctx->status == DRBG_STATUS_READY) + return 1; + + if (r) + RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, r); + return 0; +} + +/* + * Uninstantiate |dctx|. Must be instantiated before it can be used. + */ +int RAND_DRBG_uninstantiate(DRBG_CTX *dctx) +{ + int ret = ctr_uninstantiate(dctx); + + OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr)); + dctx->status = DRBG_STATUS_UNINITIALISED; + return ret; +} + +/* + * Mix in the specified data to reseed |dctx|. + */ +int RAND_DRBG_reseed(DRBG_CTX *dctx, + const unsigned char *adin, size_t adinlen) +{ + unsigned char *entropy = NULL; + size_t entlen = 0; + int r = 0; + + if (dctx->status != DRBG_STATUS_READY + && dctx->status != DRBG_STATUS_RESEED) { + if (dctx->status == DRBG_STATUS_ERROR) + r = RAND_R_IN_ERROR_STATE; + else if (dctx->status == DRBG_STATUS_UNINITIALISED) + r = RAND_R_NOT_INSTANTIATED; + goto end; + } + + if (adin == NULL) + adinlen = 0; + else if (adinlen > dctx->max_adin) { + r = RAND_R_ADDITIONAL_INPUT_TOO_LONG; + goto end; + } + + dctx->status = DRBG_STATUS_ERROR; + entlen = get_entropy(dctx, &entropy, dctx->strength, + dctx->min_entropy, dctx->max_entropy); + + if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { + r = RAND_R_ERROR_RETRIEVING_ENTROPY; + goto end; + } + + if (!ctr_reseed(dctx, entropy, entlen, adin, adinlen)) + goto end; + dctx->status = DRBG_STATUS_READY; + dctx->reseed_counter = 1; + +end: + if (entropy != NULL && dctx->cleanup_entropy != NULL) + cleanup_entropy(dctx, entropy, entlen); + if (dctx->status == DRBG_STATUS_READY) + return 1; + if (r) + RANDerr(RAND_F_RAND_DRBG_RESEED, r); + + return 0; +} + +/* + * Generate |outlen| bytes into the buffer at |out|. Reseed if we need + * to or if |prediction_resistance| is set. Additional input can be + * sent in |adin| and |adinlen|. + */ +int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, + int prediction_resistance, + const unsigned char *adin, size_t adinlen) +{ + int r = 0; + + if (dctx->status != DRBG_STATUS_READY + && dctx->status != DRBG_STATUS_RESEED) { + if (dctx->status == DRBG_STATUS_ERROR) + r = RAND_R_IN_ERROR_STATE; + else if(dctx->status == DRBG_STATUS_UNINITIALISED) + r = RAND_R_NOT_INSTANTIATED; + goto end; + } + + if (outlen > dctx->max_request) { + r = RAND_R_REQUEST_TOO_LARGE_FOR_DRBG; + return 0; + } + if (adinlen > dctx->max_adin) { + r = RAND_R_ADDITIONAL_INPUT_TOO_LONG; + goto end; + } + + if (dctx->reseed_counter >= dctx->reseed_interval) + dctx->status = DRBG_STATUS_RESEED; + + if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) { + if (!RAND_DRBG_reseed(dctx, adin, adinlen)) { + r = RAND_R_RESEED_ERROR; + goto end; + } + adin = NULL; + adinlen = 0; + } + + if (!ctr_generate(dctx, out, outlen, adin, adinlen)) { + r = RAND_R_GENERATE_ERROR; + dctx->status = DRBG_STATUS_ERROR; + goto end; + } + if (dctx->reseed_counter >= dctx->reseed_interval) + dctx->status = DRBG_STATUS_RESEED; + else + dctx->reseed_counter++; + return 1; + +end: + RANDerr(RAND_F_RAND_DRBG_GENERATE, r); + return 0; +} + +/* + * Set the callbacks for entropy and nonce. Used mainly for the KATs + */ +int RAND_DRBG_set_callbacks(DRBG_CTX *dctx, + size_t (*cb_get_entropy)(DRBG_CTX *ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len), + void (*cb_cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen), + size_t (*cb_get_nonce)(DRBG_CTX *ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len), + void (*cb_cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen)) +{ + if (dctx->status != DRBG_STATUS_UNINITIALISED) + return 0; + dctx->get_entropy = cb_get_entropy; + dctx->cleanup_entropy = cb_cleanup_entropy; + dctx->get_nonce = cb_get_nonce; + dctx->cleanup_nonce = cb_cleanup_nonce; + return 1; +} + +/* + * Set the reseed internal. Used mainly for the KATs. + */ +void RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval) +{ + dctx->reseed_interval = interval; +} + +/* + * Get and set the EXDATA + */ +int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg) +{ + return CRYPTO_set_ex_data(&dctx->ex_data, idx, arg); +} + +void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx) +{ + return CRYPTO_get_ex_data(&dctx->ex_data, idx); +} diff --git a/crypto/rand/drbg_rand.c b/crypto/rand/drbg_rand.c new file mode 100644 index 0000000000..858f74a45e --- /dev/null +++ b/crypto/rand/drbg_rand.c @@ -0,0 +1,449 @@ +/* + * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include "rand_lcl.h" +#include "internal/thread_once.h" + +/* + * Mapping of NIST SP 800-90A DRBG to OpenSSL RAND_METHOD. + */ + + +/* + * The default global DRBG and its auto-init/auto-cleanup. + */ +static DRBG_CTX ossl_drbg; + +static CRYPTO_ONCE ossl_drbg_init = CRYPTO_ONCE_STATIC_INIT; + +DEFINE_RUN_ONCE_STATIC(do_ossl_drbg_init) +{ + ossl_drbg.lock = CRYPTO_THREAD_lock_new(); + return ossl_drbg.lock != NULL; +} + +void rand_drbg_cleanup(void) +{ + CRYPTO_THREAD_lock_free(ossl_drbg.lock); +} + +static void inc_128(DRBG_CTR_CTX *cctx) +{ + int i; + unsigned char c; + unsigned char *p = &cctx->V[15]; + + for (i = 0; i < 16; i++, p--) { + c = *p; + c++; + *p = c; + if (c != 0) { + /* If we didn't wrap around, we're done. */ + break; + } + } +} + +static void ctr_XOR(DRBG_CTR_CTX *cctx, const unsigned char *in, size_t inlen) +{ + size_t i, n; + + if (in == NULL || inlen == 0) + return; + + /* + * Any zero padding will have no effect on the result as we + * are XORing. So just process however much input we have. + */ + n = inlen < cctx->keylen ? inlen : cctx->keylen; + for (i = 0; i < n; i++) + cctx->K[i] ^= in[i]; + if (inlen <= cctx->keylen) + return; + + n = inlen - cctx->keylen; + if (n > 16) { + /* Should never happen */ + n = 16; + } + for (i = 0; i < 16; i++) + cctx->V[i] ^= in[i + cctx->keylen]; +} + +/* + * Process a complete block using BCC algorithm of SP 800-90A 10.3.3 + */ +static void ctr_BCC_block(DRBG_CTR_CTX *cctx, unsigned char *out, + const unsigned char *in) +{ + int i; + + for (i = 0; i < 16; i++) + out[i] ^= in[i]; + AES_encrypt(out, out, &cctx->df_ks); +} + + +/* + * Handle several BCC operations for as much data as we need for K and X + */ +static void ctr_BCC_blocks(DRBG_CTR_CTX *cctx, const unsigned char *in) +{ + ctr_BCC_block(cctx, cctx->KX, in); + ctr_BCC_block(cctx, cctx->KX + 16, in); + if (cctx->keylen != 16) + ctr_BCC_block(cctx, cctx->KX + 32, in); +} + +/* + * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions: + * see 10.3.1 stage 7. + */ +static void ctr_BCC_init(DRBG_CTR_CTX *cctx) +{ + memset(cctx->KX, 0, 48); + memset(cctx->bltmp, 0, 16); + ctr_BCC_block(cctx, cctx->KX, cctx->bltmp); + cctx->bltmp[3] = 1; + ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp); + if (cctx->keylen != 16) { + cctx->bltmp[3] = 2; + ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp); + } +} + +/* + * Process several blocks into BCC algorithm, some possibly partial + */ +static void ctr_BCC_update(DRBG_CTR_CTX *cctx, + const unsigned char *in, size_t inlen) +{ + if (in == NULL || inlen == 0) + return; + + /* If we have partial block handle it first */ + if (cctx->bltmp_pos) { + size_t left = 16 - cctx->bltmp_pos; + + /* If we now have a complete block process it */ + if (inlen >= left) { + memcpy(cctx->bltmp + cctx->bltmp_pos, in, left); + ctr_BCC_blocks(cctx, cctx->bltmp); + cctx->bltmp_pos = 0; + inlen -= left; + in += left; + } + } + + /* Process zero or more complete blocks */ + for (; inlen >= 16; in += 16, inlen -= 16) { + ctr_BCC_blocks(cctx, in); + } + + /* Copy any remaining partial block to the temporary buffer */ + if (inlen > 0) { + memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen); + cctx->bltmp_pos += inlen; + } +} + +static void ctr_BCC_final(DRBG_CTR_CTX *cctx) +{ + if (cctx->bltmp_pos) { + memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos); + ctr_BCC_blocks(cctx, cctx->bltmp); + } +} + +static void ctr_df(DRBG_CTR_CTX *cctx, + const unsigned char *in1, size_t in1len, + const unsigned char *in2, size_t in2len, + const unsigned char *in3, size_t in3len) +{ + static unsigned char c80 = 0x80; + size_t inlen; + unsigned char *p = cctx->bltmp; + + ctr_BCC_init(cctx); + if (in1 == NULL) + in1len = 0; + if (in2 == NULL) + in2len = 0; + if (in3 == NULL) + in3len = 0; + inlen = in1len + in2len + in3len; + /* Initialise L||N in temporary block */ + *p++ = (inlen >> 24) & 0xff; + *p++ = (inlen >> 16) & 0xff; + *p++ = (inlen >> 8) & 0xff; + *p++ = inlen & 0xff; + + /* NB keylen is at most 32 bytes */ + *p++ = 0; + *p++ = 0; + *p++ = 0; + *p = (unsigned char)((cctx->keylen + 16) & 0xff); + cctx->bltmp_pos = 8; + ctr_BCC_update(cctx, in1, in1len); + ctr_BCC_update(cctx, in2, in2len); + ctr_BCC_update(cctx, in3, in3len); + ctr_BCC_update(cctx, &c80, 1); + ctr_BCC_final(cctx); + /* Set up key K */ + AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks); + /* X follows key K */ + AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks); + AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks); + if (cctx->keylen != 16) + AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks); +} + +/* + * NB the no-df Update in SP800-90A specifies a constant input length + * of seedlen, however other uses of this algorithm pad the input with + * zeroes if necessary and have up to two parameters XORed together, + * handle both cases in this function instead. + */ +static void ctr_update(DRBG_CTX *dctx, + const unsigned char *in1, size_t in1len, + const unsigned char *in2, size_t in2len, + const unsigned char *nonce, size_t noncelen) +{ + DRBG_CTR_CTX *cctx = &dctx->ctr; + + /* ks is already setup for correct key */ + inc_128(cctx); + AES_encrypt(cctx->V, cctx->K, &cctx->ks); + + /* If keylen longer than 128 bits need extra encrypt */ + if (cctx->keylen != 16) { + inc_128(cctx); + AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks); + } + inc_128(cctx); + AES_encrypt(cctx->V, cctx->V, &cctx->ks); + + /* If 192 bit key part of V is on end of K */ + if (cctx->keylen == 24) { + memcpy(cctx->V + 8, cctx->V, 8); + memcpy(cctx->V, cctx->K + 24, 8); + } + + if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) { + /* If no input reuse existing derived value */ + if (in1 != NULL || nonce != NULL || in2 != NULL) + ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len); + /* If this a reuse input in1len != 0 */ + if (in1len) + ctr_XOR(cctx, cctx->KX, dctx->seedlen); + } else { + ctr_XOR(cctx, in1, in1len); + ctr_XOR(cctx, in2, in2len); + } + + AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); +} + +int ctr_instantiate(DRBG_CTX *dctx, + const unsigned char *ent, size_t entlen, + const unsigned char *nonce, size_t noncelen, + const unsigned char *pers, size_t perslen) +{ + DRBG_CTR_CTX *cctx = &dctx->ctr; + + memset(cctx->K, 0, sizeof(cctx->K)); + memset(cctx->V, 0, sizeof(cctx->V)); + AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); + ctr_update(dctx, ent, entlen, pers, perslen, nonce, noncelen); + return 1; +} + +int ctr_reseed(DRBG_CTX *dctx, + const unsigned char *ent, size_t entlen, + const unsigned char *adin, size_t adinlen) +{ + ctr_update(dctx, ent, entlen, adin, adinlen, NULL, 0); + return 1; +} + +int ctr_generate(DRBG_CTX *dctx, + unsigned char *out, size_t outlen, + const unsigned char *adin, size_t adinlen) +{ + DRBG_CTR_CTX *cctx = &dctx->ctr; + + if (adin != NULL && adinlen != 0) { + ctr_update(dctx, adin, adinlen, NULL, 0, NULL, 0); + /* This means we reuse derived value */ + if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) { + adin = NULL; + adinlen = 1; + } + } else { + adinlen = 0; + } + + for ( ; ; ) { + inc_128(cctx); + if (outlen < 16) { + /* Use K as temp space as it will be updated */ + AES_encrypt(cctx->V, cctx->K, &cctx->ks); + memcpy(out, cctx->K, outlen); + break; + } + AES_encrypt(cctx->V, out, &cctx->ks); + out += 16; + outlen -= 16; + if (outlen == 0) + break; + } + + ctr_update(dctx, adin, adinlen, NULL, 0, NULL, 0); + return 1; +} + +int ctr_uninstantiate(DRBG_CTX *dctx) +{ + memset(&dctx->ctr, 0, sizeof(dctx->ctr)); + return 1; +} + +int ctr_init(DRBG_CTX *dctx) +{ + DRBG_CTR_CTX *cctx = &dctx->ctr; + size_t keylen; + + switch (dctx->nid) { + default: + /* This can't happen, but silence the compiler warning. */ + return -1; + case NID_aes_128_ctr: + keylen = 16; + break; + case NID_aes_192_ctr: + keylen = 24; + break; + case NID_aes_256_ctr: + keylen = 32; + break; + } + + cctx->keylen = keylen; + dctx->strength = keylen * 8; + dctx->blocklength = 16; + dctx->seedlen = keylen + 16; + + if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) { + /* df initialisation */ + static unsigned char df_key[32] = { + 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07, + 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f, + 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17, + 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f + }; + /* Set key schedule for df_key */ + AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks); + + dctx->min_entropy = cctx->keylen; + dctx->max_entropy = DRBG_MAX_LENGTH; + dctx->min_nonce = dctx->min_entropy / 2; + dctx->max_nonce = DRBG_MAX_LENGTH; + dctx->max_pers = DRBG_MAX_LENGTH; + dctx->max_adin = DRBG_MAX_LENGTH; + } else { + dctx->min_entropy = dctx->seedlen; + dctx->max_entropy = dctx->seedlen; + /* Nonce not used */ + dctx->min_nonce = 0; + dctx->max_nonce = 0; + dctx->max_pers = dctx->seedlen; + dctx->max_adin = dctx->seedlen; + } + + dctx->max_request = 1 << 16; + dctx->reseed_interval = 1 << 24; + return 1; +} + + +/* + * The following function tie the DRBG code into the RAND_METHOD + */ + +DRBG_CTX *RAND_DRBG_get_default(void) +{ + if (!RUN_ONCE(&ossl_drbg_init, do_ossl_drbg_init)) + return NULL; + return &ossl_drbg; +} + +static int drbg_bytes(unsigned char *out, int count) +{ + DRBG_CTX *dctx = RAND_DRBG_get_default(); + int ret = 0; + + CRYPTO_THREAD_write_lock(dctx->lock); + do { + size_t rcnt; + + if (count > (int)dctx->max_request) + rcnt = dctx->max_request; + else + rcnt = count; + ret = RAND_DRBG_generate(dctx, out, rcnt, 0, NULL, 0); + if (!ret) + goto err; + out += rcnt; + count -= rcnt; + } while (count); + ret = 1; +err: + CRYPTO_THREAD_unlock(dctx->lock); + return ret; +} + +static int drbg_status(void) +{ + DRBG_CTX *dctx = RAND_DRBG_get_default(); + int ret; + + CRYPTO_THREAD_write_lock(dctx->lock); + ret = dctx->status == DRBG_STATUS_READY ? 1 : 0; + CRYPTO_THREAD_unlock(dctx->lock); + return ret; +} + +static void drbg_cleanup(void) +{ + DRBG_CTX *dctx = RAND_DRBG_get_default(); + + CRYPTO_THREAD_write_lock(dctx->lock); + RAND_DRBG_uninstantiate(dctx); + CRYPTO_THREAD_unlock(dctx->lock); +} + +static const RAND_METHOD rand_drbg_meth = +{ + NULL, + drbg_bytes, + drbg_cleanup, + NULL, + drbg_bytes, + drbg_status +}; + +const RAND_METHOD *RAND_drbg(void) +{ + return &rand_drbg_meth; +} diff --git a/crypto/rand/ossl_rand.c b/crypto/rand/ossl_rand.c index 016653d227..1b4b21ba4a 100644 --- a/crypto/rand/ossl_rand.c +++ b/crypto/rand/ossl_rand.c @@ -38,8 +38,8 @@ typedef struct ossl_rand_state_st OSSL_RAND_STATE; struct ossl_rand_state_st { size_t num; size_t index; - unsigned char state[STATE_SIZE + RAND_DIGEST_LENGTH]; - unsigned char md[RAND_DIGEST_LENGTH]; + unsigned char state[STATE_SIZE + SHA_DIGEST_LENGTH]; + unsigned char md[SHA_DIGEST_LENGTH]; long md_count[2]; }; @@ -103,7 +103,7 @@ static int rand_add(const void *buf, int num, double add) { int i, j, k, st_idx; long md_c[2]; - unsigned char local_md[RAND_DIGEST_LENGTH]; + unsigned char local_md[SHA_DIGEST_LENGTH]; EVP_MD_CTX *m; int do_not_lock; int rv = 0; @@ -178,18 +178,18 @@ static int rand_add(const void *buf, int num, double add) * will use now, but other threads may use them as well */ - sp->md_count[1] += (num / RAND_DIGEST_LENGTH) + (num % RAND_DIGEST_LENGTH > 0); + sp->md_count[1] += (num / SHA_DIGEST_LENGTH) + (num % SHA_DIGEST_LENGTH > 0); if (!do_not_lock) CRYPTO_THREAD_unlock(rand_lock); - for (i = 0; i < num; i += RAND_DIGEST_LENGTH) { + for (i = 0; i < num; i += SHA_DIGEST_LENGTH) { j = (num - i); - j = (j > RAND_DIGEST_LENGTH) ? RAND_DIGEST_LENGTH : j; + j = (j > SHA_DIGEST_LENGTH) ? SHA_DIGEST_LENGTH : j; - if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL)) + if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL)) goto err; - if (!EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH)) + if (!EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH)) goto err; k = (st_idx + j) - STATE_SIZE; if (k > 0) { @@ -268,7 +268,7 @@ static int rand_bytes(unsigned char *buf, int num) size_t num_ceil, st_idx, st_num; int ok; long md_c[2]; - unsigned char local_md[RAND_DIGEST_LENGTH]; + unsigned char local_md[SHA_DIGEST_LENGTH]; EVP_MD_CTX *m; OSSL_RAND_STATE *sp = &global_state; #ifndef GETPID_IS_MEANINGLESS @@ -314,9 +314,9 @@ static int rand_bytes(unsigned char *buf, int num) if (m == NULL) goto err_mem; - /* round upwards to multiple of RAND_DIGEST_LENGTH/2 */ + /* round upwards to multiple of SHA_DIGEST_LENGTH/2 */ num_ceil = - (1 + (num - 1) / (RAND_DIGEST_LENGTH / 2)) * (RAND_DIGEST_LENGTH / 2); + (1 + (num - 1) / (SHA_DIGEST_LENGTH / 2)) * (SHA_DIGEST_LENGTH / 2); /* * (Based on the rand(3) manpage:) @@ -389,16 +389,16 @@ static int rand_bytes(unsigned char *buf, int num) int n = STATE_SIZE; /* so that the complete pool gets accessed */ while (n > 0) { -#if RAND_DIGEST_LENGTH > 20 +#if SHA_DIGEST_LENGTH > 20 # error "Please adjust DUMMY_SEED." #endif -#define DUMMY_SEED "...................." /* at least RAND_DIGEST_LENGTH */ +#define DUMMY_SEED "...................." /* at least SHA_DIGEST_LENGTH */ /* * Note that the seed does not matter, it's just that * rand_add expects to have something to hash. */ - rand_add(DUMMY_SEED, RAND_DIGEST_LENGTH, 0.0); - n -= RAND_DIGEST_LENGTH; + rand_add(DUMMY_SEED, SHA_DIGEST_LENGTH, 0.0); + n -= SHA_DIGEST_LENGTH; } if (ok) stirred_pool = 1; @@ -427,10 +427,10 @@ static int rand_bytes(unsigned char *buf, int num) CRYPTO_THREAD_unlock(rand_lock); while (num > 0) { - /* num_ceil -= RAND_DIGEST_LENGTH / 2 */ - j = (num >= RAND_DIGEST_LENGTH / 2) ? RAND_DIGEST_LENGTH / 2 : num; + /* num_ceil -= SHA_DIGEST_LENGTH / 2 */ + j = (num >= SHA_DIGEST_LENGTH / 2) ? SHA_DIGEST_LENGTH / 2 : num; num -= j; - if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL)) + if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL)) goto err; #ifndef GETPID_IS_MEANINGLESS if (curr_pid) { /* just in the first iteration to save time */ @@ -448,35 +448,35 @@ static int rand_bytes(unsigned char *buf, int num) if (!rand_hw_seed(m)) goto err; } - if (!EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH)) + if (!EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH)) goto err; if (!EVP_DigestUpdate(m, (unsigned char *)md_c, sizeof(md_c))) goto err; - k = (st_idx + RAND_DIGEST_LENGTH / 2) - st_num; + k = (st_idx + SHA_DIGEST_LENGTH / 2) - st_num; if (k > 0) { - if (!EVP_DigestUpdate(m, &sp->state[st_idx], RAND_DIGEST_LENGTH / 2 - k)) + if (!EVP_DigestUpdate(m, &sp->state[st_idx], SHA_DIGEST_LENGTH / 2 - k)) goto err; if (!EVP_DigestUpdate(m, &sp->state[0], k)) goto err; - } else if (!EVP_DigestUpdate(m, &sp->state[st_idx], RAND_DIGEST_LENGTH / 2)) + } else if (!EVP_DigestUpdate(m, &sp->state[st_idx], SHA_DIGEST_LENGTH / 2)) goto err; if (!EVP_DigestFinal_ex(m, local_md, NULL)) goto err; - for (i = 0; i < RAND_DIGEST_LENGTH / 2; i++) { + for (i = 0; i < SHA_DIGEST_LENGTH / 2; i++) { /* may compete with other threads */ sp->state[st_idx++] ^= local_md[i]; if (st_idx >= st_num) st_idx = 0; if (i < j) - *(buf++) = local_md[i + RAND_DIGEST_LENGTH / 2]; + *(buf++) = local_md[i + SHA_DIGEST_LENGTH / 2]; } } - if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL) + if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL) || !EVP_DigestUpdate(m, (unsigned char *)md_c, sizeof(md_c)) - || !EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH)) + || !EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH)) goto err; CRYPTO_THREAD_write_lock(rand_lock); /* diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c index 3513ac9162..707f010e4c 100644 --- a/crypto/rand/rand_err.c +++ b/crypto/rand/rand_err.c @@ -14,20 +14,58 @@ #ifndef OPENSSL_NO_ERR static const ERR_STRING_DATA RAND_str_functs[] = { + {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_BYTES, 0), "drbg_bytes"}, + {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_GET_ENTROPY, 0), "drbg_get_entropy"}, + {ERR_PACK(ERR_LIB_RAND, RAND_F_GET_ENTROPY, 0), "get_entropy"}, {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_BYTES, 0), "RAND_bytes"}, + {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_GENERATE, 0), + "RAND_DRBG_generate"}, + {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_INSTANTIATE, 0), + "RAND_DRBG_instantiate"}, + {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_NEW, 0), "RAND_DRBG_new"}, + {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_RESEED, 0), "RAND_DRBG_reseed"}, + {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_SET, 0), "RAND_DRBG_set"}, {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_LOAD_FILE, 0), "RAND_load_file"}, {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_WRITE_FILE, 0), "RAND_write_file"}, {0, NULL} }; static const ERR_STRING_DATA RAND_str_reasons[] = { + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ADDITIONAL_INPUT_TOO_LONG), + "additional input too long"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ALREADY_INSTANTIATED), + "already instantiated"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_CANNOT_OPEN_FILE), "Cannot open file"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_DRBG_NOT_INITIALISED), + "drbg not initialised"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_INITIALISING_DRBG), + "error initialising drbg"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_INSTANTIATING_DRBG), + "error instantiating drbg"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT), + "error retrieving additional input"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_RETRIEVING_ENTROPY), + "error retrieving entropy"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_RETRIEVING_NONCE), + "error retrieving nonce"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_FUNC_NOT_IMPLEMENTED), "Function not implemented"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_FWRITE_ERROR), "Error writing file"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_GENERATE_ERROR), "generate error"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_INTERNAL_ERROR), "internal error"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_IN_ERROR_STATE), "in error state"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_NOT_A_REGULAR_FILE), "Not a regular file"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_NOT_INSTANTIATED), "not instantiated"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PERSONALISATION_STRING_TOO_LONG), + "personalisation string too long"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PRNG_NOT_SEEDED), "PRNG not seeded"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_REQUEST_TOO_LARGE_FOR_DRBG), + "request too large for drbg"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_RESEED_ERROR), "reseed error"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_SELFTEST_FAILURE), "selftest failure"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_UNSUPPORTED_DRBG_TYPE), + "unsupported drbg type"}, {0, NULL} }; diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h index 69c9630122..d65d49f3ac 100644 --- a/crypto/rand/rand_lcl.h +++ b/crypto/rand/rand_lcl.h @@ -10,15 +10,93 @@ #ifndef HEADER_RAND_LCL_H # define HEADER_RAND_LCL_H +# include +# include +# include +# include +# include +# include "include/internal/rand.h" + /* we require 256 bits of randomness */ # define RANDOMNESS_NEEDED (256 / 8) -# include -# include +/* DRBG status values */ +#define DRBG_STATUS_UNINITIALISED 0 +#define DRBG_STATUS_READY 1 +#define DRBG_STATUS_RESEED 2 +#define DRBG_STATUS_ERROR 3 + +/* A default maximum length: larger than any reasonable value used in pratice */ +#define DRBG_MAX_LENGTH 0x7ffffff0 + +typedef struct drbg_ctr_ctx_st { + AES_KEY ks; + size_t keylen; + unsigned char K[32]; + unsigned char V[16]; + /* Temp variables used by derivation function */ + AES_KEY df_ks; + AES_KEY df_kxks; + /* Temporary block storage used by ctr_df */ + unsigned char bltmp[16]; + size_t bltmp_pos; + unsigned char KX[48]; +} DRBG_CTR_CTX; + +struct drbg_ctx_st { + CRYPTO_RWLOCK *lock; + DRBG_CTX *parent; + int nid; /* the NID of the underlying algorithm */ + unsigned int flags; /* various external flags */ + + /* The following parameters are setup by mechanism drbg_init() call */ + int strength; + size_t blocklength; + size_t max_request; + size_t min_entropy, max_entropy; + size_t min_nonce, max_nonce; + size_t max_pers, max_adin; + unsigned int reseed_counter; + unsigned int reseed_interval; + size_t seedlen; + int status; + + /* Application data: typically (only?) used by test get_entropy */ + CRYPTO_EX_DATA ex_data; + + /* Implementation specific structures */ + DRBG_CTR_CTX ctr; + + /* entropy gathering function */ + size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len); + /* Indicates we have finished with entropy buffer */ + void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen); + + /* nonce gathering function */ + size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len); + /* Indicates we have finished with nonce buffer */ + void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen); +}; -# define RAND_DIGEST EVP_sha1() -# define RAND_DIGEST_LENGTH SHA_DIGEST_LENGTH extern RAND_METHOD openssl_rand_meth; +void rand_drbg_cleanup(void); + +int ctr_init(DRBG_CTX *dctx); +int drbg_hash_init(DRBG_CTX *dctx); +int drbg_hmac_init(DRBG_CTX *dctx); +int ctr_uninstantiate(DRBG_CTX *dctx); +int ctr_instantiate(DRBG_CTX *dctx, + const unsigned char *ent, size_t entlen, + const unsigned char *nonce, size_t noncelen, + const unsigned char *pers, size_t perslen); +int ctr_reseed(DRBG_CTX *dctx, + const unsigned char *ent, size_t entlen, + const unsigned char *adin, size_t adinlen); +int ctr_generate(DRBG_CTX *dctx, + unsigned char *out, size_t outlen, + const unsigned char *adin, size_t adinlen); #endif diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 1a1e2829b3..c021486c9f 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -49,6 +49,7 @@ void rand_cleanup_int(void) CRYPTO_THREAD_lock_free(rand_engine_lock); #endif CRYPTO_THREAD_lock_free(rand_meth_lock); + rand_drbg_cleanup(); } int RAND_set_rand_method(const RAND_METHOD *meth) diff --git a/include/internal/rand.h b/include/internal/rand.h new file mode 100644 index 0000000000..95ad712573 --- /dev/null +++ b/include/internal/rand.h @@ -0,0 +1,50 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef HEADER_DRBG_RAND_H +# define HEADER_DRBG_RAND_H + +/* Flag for CTR mode only: use derivation function ctr_df */ +#define RAND_DRBG_FLAG_CTR_USE_DF 0x2 + +const RAND_METHOD *RAND_drbg(void); + +int RAND_DRBG_set(DRBG_CTX *ctx, int type, unsigned int flags); +DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent); +int RAND_DRBG_instantiate(DRBG_CTX *dctx, + const unsigned char *pers, size_t perslen); +int RAND_DRBG_uninstantiate(DRBG_CTX *dctx); +int RAND_DRBG_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen); +int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, + int prediction_resistance, + const unsigned char *adin, size_t adinlen); +void RAND_DRBG_free(DRBG_CTX *dctx); + +int RAND_DRBG_set_callbacks(DRBG_CTX *dctx, + size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len), + void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen), + size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len), + void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen) + ); + +void RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval); + +#define RAND_DRBG_get_ex_new_index(l, p, newf, dupf, freef) \ + CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DRBG, l, p, newf, dupf, freef) +int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg); +void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx); + +DRBG_CTX *RAND_DRBG_get_default(void); + + +#endif + + diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index ad2cfe5f07..f0bc98f320 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -107,7 +107,8 @@ DEFINE_STACK_OF(void) # define CRYPTO_EX_INDEX_BIO 12 # define CRYPTO_EX_INDEX_APP 13 # define CRYPTO_EX_INDEX_UI_METHOD 14 -# define CRYPTO_EX_INDEX__COUNT 15 +# define CRYPTO_EX_INDEX_DRBG 15 +# define CRYPTO_EX_INDEX__COUNT 16 /* * This is the default callbacks, but we can have others as well: this is diff --git a/include/openssl/ossl_typ.h b/include/openssl/ossl_typ.h index 173a42d3ff..49bdead4ce 100644 --- a/include/openssl/ossl_typ.h +++ b/include/openssl/ossl_typ.h @@ -114,6 +114,7 @@ typedef struct ec_key_st EC_KEY; typedef struct ec_key_method_st EC_KEY_METHOD; typedef struct rand_meth_st RAND_METHOD; +typedef struct drbg_ctx_st DRBG_CTX; typedef struct ssl_dane_st SSL_DANE; typedef struct x509_st X509; diff --git a/include/openssl/rand.h b/include/openssl/rand.h index 5cda71b792..b6b33cf37a 100644 --- a/include/openssl/rand.h +++ b/include/openssl/rand.h @@ -38,15 +38,15 @@ const RAND_METHOD *RAND_get_rand_method(void); int RAND_set_rand_engine(ENGINE *engine); # endif RAND_METHOD *RAND_OpenSSL(void); -#if OPENSSL_API_COMPAT < 0x10100000L -# define RAND_cleanup() while(0) continue -#endif +# if OPENSSL_API_COMPAT < 0x10100000L +# define RAND_cleanup() while(0) continue +# endif int RAND_bytes(unsigned char *buf, int num); DEPRECATEDIN_1_1_0(int RAND_pseudo_bytes(unsigned char *buf, int num)) void RAND_seed(const void *buf, int num); -#if defined(__ANDROID__) && defined(__NDK_FPABI__) +# if defined(__ANDROID__) && defined(__NDK_FPABI__) __NDK_FPABI__ /* __attribute__((pcs("aapcs"))) on ARM */ -#endif +# endif void RAND_add(const void *buf, int num, double randomness); int RAND_load_file(const char *file, long max_bytes); int RAND_write_file(const char *file); @@ -59,15 +59,16 @@ int RAND_egd_bytes(const char *path, int bytes); # endif int RAND_poll(void); -#if defined(_WIN32) && (defined(BASETYPES) || defined(_WINDEF_H)) +# if defined(_WIN32) && (defined(BASETYPES) || defined(_WINDEF_H)) /* application has to include in order to use these */ DEPRECATEDIN_1_1_0(void RAND_screen(void)) DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM)) -#endif +# endif int ERR_load_RAND_strings(void); -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif + #endif diff --git a/include/openssl/randerr.h b/include/openssl/randerr.h index 244fd0e4b4..79c652fcdf 100644 --- a/include/openssl/randerr.h +++ b/include/openssl/randerr.h @@ -22,17 +22,42 @@ int ERR_load_RAND_strings(void); /* * RAND function codes. */ +# define RAND_F_DRBG_BYTES 101 +# define RAND_F_DRBG_GET_ENTROPY 105 +# define RAND_F_GET_ENTROPY 106 # define RAND_F_RAND_BYTES 100 -# define RAND_F_RAND_LOAD_FILE 101 -# define RAND_F_RAND_WRITE_FILE 102 +# define RAND_F_RAND_DRBG_GENERATE 107 +# define RAND_F_RAND_DRBG_INSTANTIATE 108 +# define RAND_F_RAND_DRBG_NEW 109 +# define RAND_F_RAND_DRBG_RESEED 110 +# define RAND_F_RAND_DRBG_SET 104 +# define RAND_F_RAND_LOAD_FILE 111 +# define RAND_F_RAND_WRITE_FILE 112 /* * RAND reason codes. */ -# define RAND_R_CANNOT_OPEN_FILE 102 +# define RAND_R_ADDITIONAL_INPUT_TOO_LONG 102 +# define RAND_R_ALREADY_INSTANTIATED 103 +# define RAND_R_CANNOT_OPEN_FILE 121 +# define RAND_R_DRBG_NOT_INITIALISED 104 +# define RAND_R_ERROR_INITIALISING_DRBG 107 +# define RAND_R_ERROR_INSTANTIATING_DRBG 108 +# define RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 109 +# define RAND_R_ERROR_RETRIEVING_ENTROPY 110 +# define RAND_R_ERROR_RETRIEVING_NONCE 111 # define RAND_R_FUNC_NOT_IMPLEMENTED 101 -# define RAND_R_FWRITE_ERROR 103 -# define RAND_R_NOT_A_REGULAR_FILE 104 +# define RAND_R_FWRITE_ERROR 123 +# define RAND_R_GENERATE_ERROR 112 +# define RAND_R_INTERNAL_ERROR 113 +# define RAND_R_IN_ERROR_STATE 114 +# define RAND_R_NOT_A_REGULAR_FILE 122 +# define RAND_R_NOT_INSTANTIATED 115 +# define RAND_R_PERSONALISATION_STRING_TOO_LONG 116 # define RAND_R_PRNG_NOT_SEEDED 100 +# define RAND_R_REQUEST_TOO_LARGE_FOR_DRBG 117 +# define RAND_R_RESEED_ERROR 118 +# define RAND_R_SELFTEST_FAILURE 119 +# define RAND_R_UNSUPPORTED_DRBG_TYPE 120 #endif diff --git a/test/build.info b/test/build.info index 34c81a4dfd..9664443c48 100644 --- a/test/build.info +++ b/test/build.info @@ -42,7 +42,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \ pkey_meth_test uitest cipherbytes_test asn1_encode_test \ - x509_time_test x509_dup_cert_test x509_check_cert_pkey_test recordlentest \ + x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \ + recordlentest drbgtest \ time_offset_test pemtest ssl_cert_table_internal_test SOURCE[aborttest]=aborttest.c @@ -302,6 +303,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN INCLUDE[recordlentest]=../include . DEPEND[recordlentest]=../libcrypto ../libssl libtestutil.a + SOURCE[drbgtest]=drbgtest.c + INCLUDE[drbgtest]=../include . .. + DEPEND[drbgtest]=../libcrypto libtestutil.a + SOURCE[x509_dup_cert_test]=x509_dup_cert_test.c INCLUDE[x509_dup_cert_test]=../include DEPEND[x509_dup_cert_test]=../libcrypto libtestutil.a diff --git a/test/drbgtest.c b/test/drbgtest.c new file mode 100644 index 0000000000..80d0b8b590 --- /dev/null +++ b/test/drbgtest.c @@ -0,0 +1,490 @@ +/* + * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "e_os.h" +#include +#include +#include +#include +#include +#include +#include "../crypto/rand/rand_lcl.h" + +#include "testutil.h" +#include "drbgtest.h" + +typedef struct drbg_selftest_data_st { + int post; + int nid; + unsigned int flags; + + /* KAT data for no PR */ + const unsigned char *ent; + size_t entlen; + const unsigned char *nonce; + size_t noncelen; + const unsigned char *pers; + size_t perslen; + const unsigned char *adin; + size_t adinlen; + const unsigned char *entreseed; + size_t entreseedlen; + const unsigned char *adinreseed; + size_t adinreseedlen; + const unsigned char *adin2; + size_t adin2len; + const unsigned char *expected; + size_t exlen; + const unsigned char *kat2; + size_t kat2len; + + /* KAT data for PR */ + const unsigned char *ent_pr; + size_t entlen_pr; + const unsigned char *nonce_pr; + size_t noncelen_pr; + const unsigned char *pers_pr; + size_t perslen_pr; + const unsigned char *adin_pr; + size_t adinlen_pr; + const unsigned char *entpr_pr; + size_t entprlen_pr; + const unsigned char *ading_pr; + size_t adinglen_pr; + const unsigned char *entg_pr; + size_t entglen_pr; + const unsigned char *kat_pr; + size_t katlen_pr; + const unsigned char *kat2_pr; + size_t kat2len_pr; +} DRBG_SELFTEST_DATA; + +#define make_drbg_test_data(nid, flag, pr, post) {\ + post, nid, flag, \ + pr##_entropyinput, sizeof(pr##_entropyinput), \ + pr##_nonce, sizeof(pr##_nonce), \ + pr##_personalizationstring, sizeof(pr##_personalizationstring), \ + pr##_additionalinput, sizeof(pr##_additionalinput), \ + pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \ + pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \ + pr##_additionalinput2, sizeof(pr##_additionalinput2), \ + pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \ + pr##_returnedbits, sizeof(pr##_returnedbits), \ + pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \ + pr##_pr_nonce, sizeof(pr##_pr_nonce), \ + pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \ + pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \ + pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \ + pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \ + pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \ + pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \ + pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \ + } + +#define make_drbg_test_data_df(nid, pr, p) \ + make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_USE_DF, pr, p) + +static DRBG_SELFTEST_DATA drbg_test[] = { + make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0), + make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0), + make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1), + make_drbg_test_data (NID_aes_128_ctr, 0, aes_128_no_df, 0), + make_drbg_test_data (NID_aes_192_ctr, 0, aes_192_no_df, 0), + make_drbg_test_data (NID_aes_256_ctr, 0, aes_256_no_df, 1), +}; + +static int app_data_index; + +/* + * Test context data, attached as appdata to the DRBG_CTX + */ +typedef struct test_ctx_st { + const unsigned char *ent; + size_t entlen; + int entcnt; + const unsigned char *nonce; + size_t noncelen; + int noncecnt; +} TEST_CTX; + +static size_t kat_entropy(DRBG_CTX *dctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(dctx, app_data_index); + + t->entcnt++; + *pout = (unsigned char *)t->ent; + return t->entlen; +} + +static size_t kat_nonce(DRBG_CTX *dctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(dctx, app_data_index); + + t->noncecnt++; + *pout = (unsigned char *)t->nonce; + return t->noncelen; +} + +static int uninstantiate(DRBG_CTX *dctx) +{ + int ret = dctx == NULL ? 1 : RAND_DRBG_uninstantiate(dctx); + + ERR_clear_error(); + return ret; +} + +/* + * Do a single KAT test. Return 0 on failure. + */ +static int single_kat(DRBG_SELFTEST_DATA *td) +{ + DRBG_CTX *dctx = NULL; + TEST_CTX t; + int failures = 0; + unsigned char buff[1024]; + + /* + * Test without PR: Instantiate DRBG with test entropy, nonce and + * personalisation string. + */ + if (!TEST_ptr(dctx = RAND_DRBG_new(td->nid, td->flags, NULL))) + return 0; + if (!TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL, + kat_nonce, NULL))) { + failures++; + goto err; + } + memset(&t, 0, sizeof(t)); + t.ent = td->ent; + t.entlen = td->entlen; + t.nonce = td->nonce; + t.noncelen = td->noncelen; + RAND_DRBG_set_ex_data(dctx, app_data_index, &t); + + if (!TEST_true(RAND_DRBG_instantiate(dctx, td->pers, td->perslen)) + || !TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0, + td->adin, td->adinlen)) + || !TEST_mem_eq(td->expected, td->exlen, buff, td->exlen)) + failures++; + + /* Reseed DRBG with test entropy and additional input */ + t.ent = td->entreseed; + t.entlen = td->entreseedlen; + if (!TEST_true(RAND_DRBG_reseed(dctx, td->adinreseed, td->adinreseedlen) + || !TEST_true(RAND_DRBG_generate(dctx, buff, td->kat2len, 0, + td->adin2, td->adin2len)) + || !TEST_mem_eq(td->kat2, td->kat2len, buff, td->kat2len))) + failures++; + uninstantiate(dctx); + + /* + * Now test with PR: Instantiate DRBG with test entropy, nonce and + * personalisation string. + */ + if (!TEST_true(RAND_DRBG_set(dctx, td->nid, td->flags)) + || !TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL, + kat_nonce, NULL))) + failures++; + RAND_DRBG_set_ex_data(dctx, app_data_index, &t); + t.ent = td->ent_pr; + t.entlen = td->entlen_pr; + t.nonce = td->nonce_pr; + t.noncelen = td->noncelen_pr; + t.entcnt = 0; + t.noncecnt = 0; + if (!TEST_true(RAND_DRBG_instantiate(dctx, td->pers_pr, td->perslen_pr))) + failures++; + + /* + * Now generate with PR: we need to supply entropy as this will + * perform a reseed operation. + */ + t.ent = td->entpr_pr; + t.entlen = td->entprlen_pr; + if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->katlen_pr, 1, + td->adin_pr, td->adinlen_pr)) + || !TEST_mem_eq(td->kat_pr, td->katlen_pr, buff, td->katlen_pr)) + failures++; + + /* + * Now generate again with PR: supply new entropy again. + */ + t.ent = td->entg_pr; + t.entlen = td->entglen_pr; + + if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->kat2len_pr, 1, + td->ading_pr, td->adinglen_pr)) + || !TEST_mem_eq(td->kat2_pr, td->kat2len_pr, + buff, td->kat2len_pr)) + failures++; + +err: + uninstantiate(dctx); + RAND_DRBG_free(dctx); + return failures == 0; +} + +/* + * Initialise a DRBG based on selftest data + */ +static int init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td, TEST_CTX *t) +{ + if (!TEST_true(RAND_DRBG_set(dctx, td->nid, td->flags)) + || !TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL, + kat_nonce, NULL))) + return 0; + RAND_DRBG_set_ex_data(dctx, app_data_index, t); + t->ent = td->ent; + t->entlen = td->entlen; + t->nonce = td->nonce; + t->noncelen = td->noncelen; + t->entcnt = 0; + t->noncecnt = 0; + return 1; +} + +/* + * Initialise and instantiate DRBG based on selftest data + */ +static int instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td, + TEST_CTX *t) +{ + if (!TEST_true(init(dctx, td, t)) + || !TEST_true(RAND_DRBG_instantiate(dctx, td->pers, td->perslen))) + return 0; + return 1; +} + +/* + * Perform extensive error checking as required by SP800-90. + * Induce several failure modes and check an error condition is set. + */ +static int error_check(DRBG_SELFTEST_DATA *td) +{ + static char zero[sizeof(DRBG_CTX)]; + DRBG_CTX *dctx = NULL; + TEST_CTX t; + unsigned char buff[1024]; + unsigned int reseed_counter_tmp; + int ret = 0; + + if (!TEST_ptr(dctx = RAND_DRBG_new(0, 0, NULL))) + goto err; + + /* + * Personalisation string tests + */ + + /* Test detection of too large personlisation string */ + if (!init(dctx, td, &t) + || RAND_DRBG_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) + goto err; + + /* + * Entropy source tests + */ + + /* Test entropy source failure detecion: i.e. returns no data */ + t.entlen = 0; + if (TEST_int_le(RAND_DRBG_instantiate(dctx, td->pers, td->perslen), 0)) + goto err; + + /* Try to generate output from uninstantiated DRBG */ + if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 0, + td->adin, td->adinlen)) + || !uninstantiate(dctx)) + goto err; + + /* Test insufficient entropy */ + t.entlen = dctx->min_entropy - 1; + if (!init(dctx, td, &t) + || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0 + || !uninstantiate(dctx)) + goto err; + + /* Test too much entropy */ + t.entlen = dctx->max_entropy + 1; + if (!init(dctx, td, &t) + || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0 + || !uninstantiate(dctx)) + goto err; + + /* + * Nonce tests + */ + + /* Test too small nonce */ + if (dctx->min_nonce) { + t.noncelen = dctx->min_nonce - 1; + if (!init(dctx, td, &t) + || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0 + || !uninstantiate(dctx)) + goto err; + } + + /* Test too large nonce */ + if (dctx->max_nonce) { + t.noncelen = dctx->max_nonce + 1; + if (!init(dctx, td, &t) + || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0 + || !uninstantiate(dctx)) + goto err; + } + + /* Instantiate with valid data, Check generation is now OK */ + if (!instantiate(dctx, td, &t) + || !TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0, + td->adin, td->adinlen))) + goto err; + + /* Request too much data for one request */ + if (!TEST_false(RAND_DRBG_generate(dctx, buff, dctx->max_request + 1, 0, + td->adin, td->adinlen))) + goto err; + + /* Try too large additional input */ + if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 0, + td->adin, dctx->max_adin + 1))) + goto err; + + /* + * Check prediction resistance request fails if entropy source + * failure. + */ + t.entlen = 0; + if (TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 1, + td->adin, td->adinlen)) + || !uninstantiate(dctx)) + goto err; + + /* Instantiate again with valid data */ + if (!instantiate(dctx, td, &t)) + goto err; + reseed_counter_tmp = dctx->reseed_counter; + dctx->reseed_counter = dctx->reseed_interval; + + /* Generate output and check entropy has been requested for reseed */ + t.entcnt = 0; + if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0, + td->adin, td->adinlen)) + || !TEST_int_eq(t.entcnt, 1) + || !TEST_int_eq(dctx->reseed_counter, reseed_counter_tmp + 1) + || !uninstantiate(dctx)) + goto err; + + /* + * Check prediction resistance request fails if entropy source + * failure. + */ + t.entlen = 0; + if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 1, + td->adin, td->adinlen)) + || !uninstantiate(dctx)) + goto err; + + /* Test reseed counter works */ + if (!instantiate(dctx, td, &t)) + goto err; + reseed_counter_tmp = dctx->reseed_counter; + dctx->reseed_counter = dctx->reseed_interval; + + /* Generate output and check entropy has been requested for reseed */ + t.entcnt = 0; + if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0, + td->adin, td->adinlen)) + || !TEST_int_eq(t.entcnt, 1) + || !TEST_int_eq(dctx->reseed_counter, reseed_counter_tmp + 1) + || !uninstantiate(dctx)) + goto err; + + /* + * Explicit reseed tests + */ + + /* Test explicit reseed with too large additional input */ + if (!init(dctx, td, &t) + || RAND_DRBG_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) + goto err; + + /* Test explicit reseed with entropy source failure */ + t.entlen = 0; + if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0) + || !uninstantiate(dctx)) + goto err; + + /* Test explicit reseed with too much entropy */ + if (!init(dctx, td, &t)) + goto err; + t.entlen = dctx->max_entropy + 1; + if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0) + || !uninstantiate(dctx)) + goto err; + + /* Test explicit reseed with too little entropy */ + if (!init(dctx, td, &t)) + goto err; + t.entlen = dctx->min_entropy - 1; + if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0) + || !uninstantiate(dctx)) + goto err; + + /* Standard says we have to check uninstantiate really zeroes */ + if (!TEST_mem_eq(zero, sizeof(dctx->ctr), &dctx->ctr, sizeof(dctx->ctr))) + goto err; + + ret = 1; + +err: + uninstantiate(dctx); + RAND_DRBG_free(dctx); + return ret; +} + +static int test_kats(int i) +{ + DRBG_SELFTEST_DATA *td = &drbg_test[i]; + int rv = 0; + + if (!single_kat(td)) + goto err; + rv = 1; + +err: + return rv; +} + +static int test_error_checks(int i) +{ + DRBG_SELFTEST_DATA *td = &drbg_test[i]; + int rv = 0; + + if (error_check(td)) + goto err; + rv = 1; + +err: + return rv; +} + + +int test_main(int argc, char *argv[]) +{ + if (argc != 1) { + TEST_error("Usage: %s", argv[0]); + return EXIT_FAILURE; + } + app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); + + ADD_ALL_TESTS(test_kats, OSSL_NELEM(drbg_test)); + ADD_ALL_TESTS(test_error_checks, OSSL_NELEM(drbg_test)); + return run_tests(argv[0]); +} diff --git a/test/drbgtest.h b/test/drbgtest.h new file mode 100644 index 0000000000..c11b8a2b4c --- /dev/null +++ b/test/drbgtest.h @@ -0,0 +1,579 @@ +/* + * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Known answer tests for SP800-90 DRBG CTR mode. + */ + + +/* + * AES-128 use df PR + */ +static const unsigned char aes_128_use_df_pr_entropyinput[] = { + 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33, + 0xc8, 0xdb, 0xff, 0x12 +}; +static const unsigned char aes_128_use_df_pr_nonce[] = { + 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28 +}; +static const unsigned char aes_128_use_df_pr_personalizationstring[] = { + 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe, + 0xd7, 0xd7, 0x01, 0x67 +}; +static const unsigned char aes_128_use_df_pr_additionalinput[] = { + 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e, + 0x9a, 0x47, 0x08, 0x76 +}; +static const unsigned char aes_128_use_df_pr_entropyinputpr[] = { + 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51, + 0x09, 0xfb, 0xa3, 0xb6 +}; +static const unsigned char aes_128_use_df_pr_int_returnedbits[] = { + 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52, + 0x66, 0x1c, 0xea, 0x5b +}; +static const unsigned char aes_128_use_df_pr_additionalinput2[] = { + 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11, + 0x3f, 0x5e, 0x31, 0x06 +}; +static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = { + 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae, + 0xa7, 0xe3, 0xa8, 0x67 +}; +static const unsigned char aes_128_use_df_pr_returnedbits[] = { + 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24, + 0x0f, 0x38, 0x43, 0xc6 +}; + + +/* + * AES-128 use df no PR + */ +static const unsigned char aes_128_use_df_entropyinput[] = { + 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3, + 0x9d, 0x7d, 0x1c, 0x9b +}; +static const unsigned char aes_128_use_df_nonce[] = { + 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96, +}; +static const unsigned char aes_128_use_df_personalizationstring[] = { + 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3, + 0x38, 0x66, 0xba, 0x1b +}; +static const unsigned char aes_128_use_df_additionalinput[] = { + 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46, + 0xb5, 0xe2, 0xb2, 0x41 +}; +static const unsigned char aes_128_use_df_int_returnedbits[] = { + 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67, + 0xe7, 0x57, 0x11, 0xb4 +}; +static const unsigned char aes_128_use_df_entropyinputreseed[] = { + 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b, + 0xc7, 0xc4, 0x9e, 0x39 +}; +static const unsigned char aes_128_use_df_additionalinputreseed[] = { + 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a, + 0xc8, 0x93, 0xfa, 0x84 +}; +static const unsigned char aes_128_use_df_additionalinput2[] = { + 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5, + 0x06, 0x0c, 0x15, 0x2c +}; +static const unsigned char aes_128_use_df_returnedbits[] = { + 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88, + 0x46, 0x81, 0xc7, 0x19 +}; + + +/* + * AES-192 use df PR + */ +static const unsigned char aes_192_use_df_pr_entropyinput[] = { + 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec, + 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d +}; +static const unsigned char aes_192_use_df_pr_nonce[] = { + 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0, + 0xd1, 0x80, 0x78, 0xfa +}; +static const unsigned char aes_192_use_df_pr_personalizationstring[] = { + 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16, + 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5, + 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04 +}; +static const unsigned char aes_192_use_df_pr_additionalinput[] = { + 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac, + 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb, + 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36 +}; +static const unsigned char aes_192_use_df_pr_entropyinputpr[] = { + 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5, + 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5, +}; +static const unsigned char aes_192_use_df_pr_int_returnedbits[] = { + 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9, + 0x19, 0x30, 0x6b, 0x67 +}; +static const unsigned char aes_192_use_df_pr_additionalinput2[] = { + 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32, + 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda, + 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99 +}; +static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = { + 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0, + 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e, +}; +static const unsigned char aes_192_use_df_pr_returnedbits[] = { + 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c, + 0x7e, 0x1a, 0x2b, 0x83 +}; + + +/* + * AES-192 use df no PR + */ +static const unsigned char aes_192_use_df_entropyinput[] = { + 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82, + 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b, +}; +static const unsigned char aes_192_use_df_nonce[] = { + 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d, + 0x77, 0xd7, 0x41, 0x0e +}; +static const unsigned char aes_192_use_df_personalizationstring[] = { + 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf, + 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65, + 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70 +}; +static const unsigned char aes_192_use_df_additionalinput[] = { + 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69, + 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22, + 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7 +}; +static const unsigned char aes_192_use_df_int_returnedbits[] = { + 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6, + 0xb7, 0xed, 0xe9, 0xea +}; +static const unsigned char aes_192_use_df_entropyinputreseed[] = { + 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02, + 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01, +}; +static const unsigned char aes_192_use_df_additionalinputreseed[] = { + 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76, + 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77, + 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65 +}; +static const unsigned char aes_192_use_df_additionalinput2[] = { + 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e, + 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0, + 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77 +}; +static const unsigned char aes_192_use_df_returnedbits[] = { + 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58, + 0x1a, 0xf9, 0x13, 0x28 +}; + + +/* + * AES-256 use df PR + */ +static const unsigned char aes_256_use_df_pr_entropyinput[] = { + 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74, + 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f, + 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a +}; +static const unsigned char aes_256_use_df_pr_nonce[] = { + 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33, + 0x2b, 0x36, 0xff, 0xa4 +}; +static const unsigned char aes_256_use_df_pr_personalizationstring[] = { + 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24, + 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83, + 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d +}; +static const unsigned char aes_256_use_df_pr_additionalinput[] = { + 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0, + 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3, + 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde +}; +static const unsigned char aes_256_use_df_pr_entropyinputpr[] = { + 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77, + 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54, + 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9 +}; +static const unsigned char aes_256_use_df_pr_int_returnedbits[] = { + 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7, + 0x17, 0xab, 0x3c, 0x7a +}; +static const unsigned char aes_256_use_df_pr_additionalinput2[] = { + 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00, + 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78, + 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3 +}; +static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = { + 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73, + 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8, + 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f +}; +static const unsigned char aes_256_use_df_pr_returnedbits[] = { + 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0, + 0xd9, 0xe2, 0x97, 0x00 +}; + + +/* + * AES-256 use df no PR + */ +static const unsigned char aes_256_use_df_entropyinput[] = { + 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50, + 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68, + 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47 +}; +static const unsigned char aes_256_use_df_nonce[] = { + 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a, + 0x4c, 0x44, 0x84, 0x40 +}; +static const unsigned char aes_256_use_df_personalizationstring[] = { + 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05, + 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b, + 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2 +}; +static const unsigned char aes_256_use_df_additionalinput[] = { + 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f, + 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf, + 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46 +}; +static const unsigned char aes_256_use_df_int_returnedbits[] = { + 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1, + 0x28, 0x0c, 0x3b, 0xc1 +}; +static const unsigned char aes_256_use_df_entropyinputreseed[] = { + 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76, + 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46, + 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e +}; +static const unsigned char aes_256_use_df_additionalinputreseed[] = { + 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99, + 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75, + 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75 +}; +static const unsigned char aes_256_use_df_additionalinput2[] = { + 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d, + 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a, + 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d +}; +static const unsigned char aes_256_use_df_returnedbits[] = { + 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad, + 0xfa, 0xfd, 0x35, 0x5e +}; + + +/* + * AES-128 no df PR + */ +static const unsigned char aes_128_no_df_pr_entropyinput[] = { + 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4, + 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf, + 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a +}; +static const unsigned char aes_128_no_df_pr_nonce[] = { + 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1, +}; +static const unsigned char aes_128_no_df_pr_personalizationstring[] = { + 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c, + 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c, + 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8 +}; +static const unsigned char aes_128_no_df_pr_additionalinput[] = { + 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02, + 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73, + 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12 +}; +static const unsigned char aes_128_no_df_pr_entropyinputpr[] = { + 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a, + 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7, + 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e +}; +static const unsigned char aes_128_no_df_pr_int_returnedbits[] = { + 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71, + 0xaf, 0x19, 0x32, 0x16 +}; +static const unsigned char aes_128_no_df_pr_additionalinput2[] = { + 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f, + 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83, + 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50 +}; +static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = { + 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a, + 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07, + 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9 +}; +static const unsigned char aes_128_no_df_pr_returnedbits[] = { + 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33, + 0x57, 0x82, 0x33, 0xaf +}; + + +/* + * AES-128 no df no PR + */ +static const unsigned char aes_128_no_df_entropyinput[] = { + 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67, + 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42, + 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60 +}; +static const unsigned char aes_128_no_df_nonce[] = { + 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13, +}; +static const unsigned char aes_128_no_df_personalizationstring[] = { + 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb, + 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b, + 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce +}; +static const unsigned char aes_128_no_df_additionalinput[] = { + 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37, + 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24, + 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95 +}; +static const unsigned char aes_128_no_df_int_returnedbits[] = { + 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6, + 0xed, 0x3e, 0x65, 0xc2 +}; +static const unsigned char aes_128_no_df_entropyinputreseed[] = { + 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66, + 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1, + 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00 +}; +static const unsigned char aes_128_no_df_additionalinputreseed[] = { + 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2, + 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4, + 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4 +}; +static const unsigned char aes_128_no_df_additionalinput2[] = { + 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f, + 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac, + 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6 +}; +static const unsigned char aes_128_no_df_returnedbits[] = { + 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36, + 0x81, 0x37, 0x19, 0xd4 +}; + + +/* + * AES-192 no df PR + */ +static const unsigned char aes_192_no_df_pr_entropyinput[] = { + 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7, + 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61, + 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a, + 0x17, 0x1f, 0x8d, 0x9a +}; +static const unsigned char aes_192_no_df_pr_nonce[] = { + 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19, + 0x61, 0x5c, 0xee, 0x0f +}; +static const unsigned char aes_192_no_df_pr_personalizationstring[] = { + 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1, + 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4, + 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10, + 0x57, 0x2e, 0xe7, 0x55 +}; +static const unsigned char aes_192_no_df_pr_additionalinput[] = { + 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad, + 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85, + 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f, + 0xe2, 0xd0, 0x0c, 0x2f +}; +static const unsigned char aes_192_no_df_pr_entropyinputpr[] = { + 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94, + 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb, + 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58, + 0x1d, 0x30, 0xb3, 0x78 +}; +static const unsigned char aes_192_no_df_pr_int_returnedbits[] = { + 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40, + 0x7e, 0x3e, 0x0c, 0x26 +}; +static const unsigned char aes_192_no_df_pr_additionalinput2[] = { + 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a, + 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57, + 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee, + 0x0c, 0x4b, 0xee, 0x6e +}; +static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = { + 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0, + 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f, + 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b, + 0x8e, 0x0a, 0x83, 0xdf +}; +static const unsigned char aes_192_no_df_pr_returnedbits[] = { + 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91, + 0xb9, 0xa1, 0x21, 0x68 +}; + + +/* + * AES-192 no df no PR + */ +static const unsigned char aes_192_no_df_entropyinput[] = { + 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e, + 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe, + 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28, + 0x94, 0xc3, 0x59, 0x63 +}; +static const unsigned char aes_192_no_df_nonce[] = { + 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb, + 0x29, 0xfd, 0x45, 0x71 +}; +static const unsigned char aes_192_no_df_personalizationstring[] = { + 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08, + 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96, + 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b, + 0x3b, 0x88, 0xce, 0x35 +}; +static const unsigned char aes_192_no_df_additionalinput[] = { + 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b, + 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71, + 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3, + 0x3e, 0xbe, 0xd4, 0x8e +}; +static const unsigned char aes_192_no_df_int_returnedbits[] = { + 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a, + 0x45, 0xe7, 0x4a, 0xc5 +}; +static const unsigned char aes_192_no_df_entropyinputreseed[] = { + 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e, + 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1, + 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33, + 0x9b, 0xcb, 0x7e, 0x75 +}; +static const unsigned char aes_192_no_df_additionalinputreseed[] = { + 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01, + 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27, + 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40, + 0x5d, 0x7a, 0x25, 0x79 +}; +static const unsigned char aes_192_no_df_additionalinput2[] = { + 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71, + 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5, + 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a, + 0x91, 0x6a, 0xe3, 0x5f +}; +static const unsigned char aes_192_no_df_returnedbits[] = { + 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8, + 0x66, 0x67, 0x2c, 0x92 +}; + + +/* + * AES-256 no df PR + */ +static const unsigned char aes_256_no_df_pr_entropyinput[] = { + 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8, + 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2, + 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03, + 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c, +}; +static const unsigned char aes_256_no_df_pr_nonce[] = { + 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30, + 0xcc, 0x4b, 0xee, 0x2e +}; +static const unsigned char aes_256_no_df_pr_personalizationstring[] = { + 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7, + 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b, + 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac, + 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06, +}; +static const unsigned char aes_256_no_df_pr_additionalinput[] = { + 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40, + 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c, + 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69, + 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e, +}; +static const unsigned char aes_256_no_df_pr_entropyinputpr[] = { + 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16, + 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc, + 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9, + 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f, +}; +static const unsigned char aes_256_no_df_pr_int_returnedbits[] = { + 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56, + 0x79, 0x60, 0x93, 0xcf +}; +static const unsigned char aes_256_no_df_pr_additionalinput2[] = { + 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a, + 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35, + 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34, + 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb, +}; +static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = { + 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3, + 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa, + 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83, + 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f, +}; +static const unsigned char aes_256_no_df_pr_returnedbits[] = { + 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7, + 0x2d, 0x5f, 0x4a, 0x46 +}; + + +/* + * AES-256 no df no PR + */ +static const unsigned char aes_256_no_df_entropyinput[] = { + 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3, + 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb, + 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96, + 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3, +}; +static const unsigned char aes_256_no_df_nonce[] = { + 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99, + 0x43, 0x96, 0xb9, 0xf0 +}; +static const unsigned char aes_256_no_df_personalizationstring[] = { + 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60, + 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc, + 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f, + 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d, +}; +static const unsigned char aes_256_no_df_additionalinput[] = { + 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6, + 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9, + 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed, + 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17, +}; +static const unsigned char aes_256_no_df_int_returnedbits[] = { + 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6, + 0xd2, 0x25, 0x75, 0x0e +}; +static const unsigned char aes_256_no_df_entropyinputreseed[] = { + 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b, + 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5, + 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed, + 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb, +}; +static const unsigned char aes_256_no_df_additionalinputreseed[] = { + 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e, + 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18, + 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b, + 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29, +}; +static const unsigned char aes_256_no_df_additionalinput2[] = { + 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe, + 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42, + 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba, + 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6, +}; +static const unsigned char aes_256_no_df_returnedbits[] = { + 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67, + 0xf6, 0x02, 0x32, 0xe2 +}; diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t index 3b175fac24..64840dbe1d 100644 --- a/test/recipes/05-test_rand.t +++ b/test/recipes/05-test_rand.t @@ -6,7 +6,12 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html +use strict; +use warnings; +use OpenSSL::Test; -use OpenSSL::Test::Simple; +plan tests => 2; +setup("test_rand"); -simple_test("test_rand", "randtest", "rand"); +ok(run(test(["randtest"]))); +ok(run(test(["drbgtest"]))); diff --git a/util/libcrypto.num b/util/libcrypto.num index 436969429f..136fbafe72 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4345,3 +4345,16 @@ OSSL_STORE_LOADER_get0_engine 4287 1_1_1 EXIST::FUNCTION: OPENSSL_fork_prepare 4288 1_1_1 EXIST:UNIX:FUNCTION: OPENSSL_fork_parent 4289 1_1_1 EXIST:UNIX:FUNCTION: OPENSSL_fork_child 4290 1_1_1 EXIST:UNIX:FUNCTION: +RAND_drbg 4291 1_1_1 EXIST::FUNCTION: +RAND_DRBG_instantiate 4292 1_1_1 EXIST::FUNCTION: +RAND_DRBG_uninstantiate 4293 1_1_1 EXIST::FUNCTION: +RAND_DRBG_get_default 4294 1_1_1 EXIST::FUNCTION: +RAND_DRBG_set 4295 1_1_1 EXIST::FUNCTION: +RAND_DRBG_set_callbacks 4296 1_1_1 EXIST::FUNCTION: +RAND_DRBG_new 4297 1_1_1 EXIST::FUNCTION: +RAND_DRBG_set_reseed_interval 4298 1_1_1 EXIST::FUNCTION: +RAND_DRBG_free 4299 1_1_1 EXIST::FUNCTION: +RAND_DRBG_generate 4300 1_1_1 EXIST::FUNCTION: +RAND_DRBG_reseed 4301 1_1_1 EXIST::FUNCTION: +RAND_DRBG_set_ex_data 4302 1_1_1 EXIST::FUNCTION: +RAND_DRBG_get_ex_data 4303 1_1_1 EXIST::FUNCTION: diff --git a/util/mkdef.pl b/util/mkdef.pl index 6315a5bea5..b3eb6b3d9d 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -246,6 +246,7 @@ my $crypto ="include/internal/dso.h"; $crypto.=" include/internal/o_dir.h"; $crypto.=" include/internal/o_str.h"; $crypto.=" include/internal/err.h"; +$crypto.=" include/internal/rand.h"; foreach my $f ( glob(catfile($config{sourcedir},'include/openssl/*.h')) ) { my $fn = "include/openssl/" . lc(basename($f)); $crypto .= " $fn" if !defined $skipthese{$fn} && $f !~ m@/[a-z]+err\.h$@; -- 2.25.1