a3732c1a4abf0aaeefe279b4ff68ab95449621c2
[openssl.git] / fips / rand / fips_drbg_selftest.c
1 /* fips/rand/fips_drbg_selftest.c */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3  * project.
4  */
5 /* ====================================================================
6  * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer. 
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  */
53
54 #define OPENSSL_FIPSAPI
55
56 #include <string.h>
57 #include <openssl/crypto.h>
58 #include <openssl/evp.h>
59 #include <openssl/aes.h>
60 #include <openssl/err.h>
61 #include <openssl/fips_rand.h>
62 #include "fips_rand_lcl.h"
63
64 typedef struct {
65         int nid;
66         unsigned int flags;
67         const unsigned char *ent;
68         size_t entlen;
69         const unsigned char *nonce;
70         size_t noncelen;
71         const unsigned char *pers;
72         size_t perslen;
73         const unsigned char *adin;
74         size_t adinlen;
75         const unsigned char *entpr;
76         size_t entprlen;
77         const unsigned char *ading;
78         size_t adinglen;
79         const unsigned char *entg;
80         size_t entglen;
81         const unsigned char *kat;
82         size_t katlen;
83         } DRBG_SELFTEST_DATA;
84
85 #define make_drbg_test_data(nid, flag, pr) { nid, flag | DRBG_FLAG_TEST, \
86         pr##_entropyinput, sizeof(pr##_entropyinput), \
87         pr##_nonce, sizeof(pr##_nonce), \
88         pr##_personalizationstring, sizeof(pr##_personalizationstring), \
89         pr##_additionalinput, sizeof(pr##_additionalinput), \
90         pr##_entropyinputpr, sizeof(pr##_entropyinputpr), \
91         pr##_additionalinput2, sizeof(pr##_additionalinput2), \
92         pr##_entropyinputpr2, sizeof(pr##_entropyinputpr2), \
93         pr##_returnedbits, sizeof(pr##_returnedbits), \
94         }
95
96 #define make_drbg_test_data_df(nid, pr) \
97         make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr)
98
99 /* AES-128 use df PR */
100 static const unsigned char aes_128_use_df_entropyinput[] =
101         {
102         0x98,0x38,0x99,0x81,0x1d,0x56,0x1a,0x04,0xb0,0x50,0xcd,0x14,
103         0xc3,0x90,0x0b,0x4f
104         };
105
106 static const unsigned char aes_128_use_df_nonce[] =
107         {
108         0xa8,0xa0,0x80,0x8a,0x65,0xb7,0x38,0x22
109         };
110
111 static const unsigned char aes_128_use_df_personalizationstring[] =
112         {
113         0x67,0x4f,0x85,0x01,0x15,0x51,0x85,0xdd,0x97,0xda,0xf7,0x09,
114         0xbc,0x61,0xaf,0x23
115         };
116
117 static const unsigned char aes_128_use_df_additionalinput[] =
118         {
119         0x01,0xba,0xa8,0x13,0x9e,0xd4,0xb7,0xff,0x86,0x34,0x01,0xa0,
120         0xb6,0x17,0x96,0x55
121         };
122
123 static const unsigned char aes_128_use_df_entropyinputpr[] =
124         {
125         0x60,0x76,0xf6,0x12,0x6b,0x92,0xbe,0xd7,0x75,0x6e,0x78,0x1f,
126         0x0d,0xc1,0x0d,0x56
127         };
128
129 static const unsigned char aes_128_use_df_additionalinput2[] =
130         {
131         0xf0,0xd6,0x5b,0xa3,0x7c,0x1e,0xa3,0x65,0x08,0xf9,0xdd,0x90,
132         0xde,0x5f,0xb4,0x27
133         };
134
135 static const unsigned char aes_128_use_df_entropyinputpr2[] =
136         {
137         0x34,0x55,0x02,0xa9,0x30,0xf0,0x78,0x0a,0xa2,0xae,0x74,0x46,
138         0xe5,0xad,0xbb,0xd6
139         };
140
141 static const unsigned char aes_128_use_df_returnedbits[] =
142         {
143         0x48,0x52,0xb6,0x9f,0xf2,0xfe,0xe1,0x12,0xaf,0x22,0x87,0xd7,
144         0x46,0x64,0x96,0xec
145         };
146
147
148 /* AES-192 use df PR */
149 static const unsigned char aes_192_use_df_entropyinput[] =
150         {
151         0x12,0xf6,0xff,0xc5,0x81,0x8c,0x15,0xd7,0x33,0x0c,0x4f,0x45,
152         0xbf,0x2a,0x97,0xd2,0xe0,0xe0,0xbd,0x48,0x4e,0x83,0x76,0x25
153         };
154
155 static const unsigned char aes_192_use_df_nonce[] =
156         {
157         0x35,0xc8,0x16,0x8c,0xbd,0x1f,0x53,0xc4,0x6e,0x47,0x3a,0x74,
158         0x83,0xe6,0xe4,0x78
159         };
160
161 static const unsigned char aes_192_use_df_personalizationstring[] =
162         {
163         0xd6,0xe2,0x27,0x88,0xf4,0xce,0x9d,0xfc,0x92,0xde,0x07,0x57,
164         0x43,0x74,0x17,0x6e,0x63,0x54,0xaf,0x5a,0x3c,0xf8,0x23,0x65,
165         0x5a,0x15,0xb0,0x35,0x2a,0x6c,0x3c,0x3a
166         };
167
168 static const unsigned char aes_192_use_df_additionalinput[] =
169         {
170         0xad,0xa4,0x47,0xa4,0xcf,0x46,0x7b,0xf7,0x19,0xcc,0xda,0xbe,
171         0x11,0x42,0x85,0xaa,0x21,0x16,0x27,0xe6,0x35,0xdf,0xb5,0x87,
172         0x96,0x68,0x64,0x35,0x08,0x02,0xe9,0x19
173         };
174
175 static const unsigned char aes_192_use_df_entropyinputpr[] =
176         {
177         0x6f,0x41,0x2d,0x5e,0xd6,0xc9,0xf8,0x6a,0x22,0x00,0xe0,0xfb,
178         0x4b,0xcd,0xbe,0x2d,0x98,0xff,0x1b,0xe2,0xb9,0x95,0x73,0xac
179         };
180
181 static const unsigned char aes_192_use_df_additionalinput2[] =
182         {
183         0x51,0xea,0xd8,0x8e,0xa0,0xd7,0x9c,0x22,0x3c,0x01,0xf6,0xdb,
184         0xe9,0xe4,0x60,0x1e,0x54,0x56,0x3b,0x5c,0xd2,0xf3,0xa0,0x1d,
185         0x5c,0xd0,0x85,0x48,0xc9,0x5f,0x12,0xb7
186         };
187
188 static const unsigned char aes_192_use_df_entropyinputpr2[] =
189         {
190         0xf7,0x1f,0x9f,0x0e,0x14,0x30,0xde,0x4c,0xf9,0x34,0x49,0xc5,
191         0x24,0x91,0xe3,0x30,0xfd,0x5f,0x1e,0x79,0x30,0xf5,0x58,0xe6
192         };
193
194 static const unsigned char aes_192_use_df_returnedbits[] =
195         {
196         0x5b,0x8a,0xca,0x2e,0x74,0xb6,0x6f,0x96,0x48,0xb0,0xe4,0xc1,
197         0x68,0x40,0xac,0xc7
198         };
199
200
201 /* AES-256 use df PR */
202 static const unsigned char aes_256_use_df_entropyinput[] =
203         {
204         0x2a,0x02,0xbe,0xaa,0xba,0xb4,0x6a,0x73,0x53,0x85,0xa9,0x2a,
205         0xae,0x4a,0xdc,0xeb,0xe8,0x07,0xfb,0xf3,0xbc,0xe3,0xf4,0x2e,
206         0x00,0x53,0x46,0x00,0x64,0x80,0xdd,0x57
207         };
208
209 static const unsigned char aes_256_use_df_nonce[] =
210         {
211         0x2c,0x86,0xa2,0xf9,0x70,0xb5,0xca,0xd3,0x9a,0x08,0xdc,0xb6,
212         0x6b,0xce,0xe5,0x05
213         };
214
215 static const unsigned char aes_256_use_df_personalizationstring[] =
216         {
217         0xdb,0x6c,0xe1,0x84,0xbe,0x07,0xae,0x55,0x4e,0x34,0x5d,0xb8,
218         0x47,0x98,0x85,0xe0,0x3d,0x3e,0x9f,0x60,0xfa,0x1c,0x7d,0x57,
219         0x19,0xe5,0x09,0xdc,0xe2,0x10,0x41,0xab
220         };
221
222 static const unsigned char aes_256_use_df_additionalinput[] =
223         {
224         0x1d,0xc3,0x11,0x93,0xcb,0xc4,0xf6,0xbb,0x57,0xb0,0x09,0x70,
225         0xb9,0xc6,0x05,0x86,0x4e,0x75,0x95,0x7d,0x3d,0xec,0xce,0xb4,
226         0x0b,0xe4,0xef,0xd1,0x7b,0xab,0x56,0x6f
227         };
228
229 static const unsigned char aes_256_use_df_entropyinputpr[] =
230         {
231         0x8f,0xb9,0xab,0xf9,0x33,0xcc,0xbe,0xc6,0xbd,0x8b,0x61,0x5a,
232         0xec,0xc6,0x4a,0x5b,0x03,0x21,0xe7,0x37,0x03,0x02,0xbc,0xa5,
233         0x28,0xb9,0xfe,0x7a,0xa8,0xef,0x6f,0xb0
234         };
235
236 static const unsigned char aes_256_use_df_additionalinput2[] =
237         {
238         0xd6,0x98,0x63,0x48,0x94,0x9f,0x26,0xf7,0x1f,0x44,0x13,0x23,
239         0xa7,0xde,0x09,0x12,0x90,0x04,0xce,0xbc,0xac,0x82,0x70,0x58,
240         0xba,0x7d,0xdc,0x25,0x1e,0xe4,0xbf,0x7c
241         };
242
243 static const unsigned char aes_256_use_df_entropyinputpr2[] =
244         {
245         0xe5,0x04,0xef,0x7c,0x8d,0x02,0xd7,0x68,0x95,0x4c,0x64,0x34,
246         0x30,0x3a,0xcb,0x07,0xc9,0x0a,0xef,0x26,0xc6,0x57,0x43,0xfb,
247         0x7d,0xbe,0xe2,0x61,0x75,0xcd,0xee,0x34
248         };
249
250 static const unsigned char aes_256_use_df_returnedbits[] =
251         {
252         0x75,0x6d,0x16,0xef,0x14,0xae,0xd9,0xc2,0x28,0x0b,0x66,0xff,
253         0x20,0x1f,0x21,0x33
254         };
255
256
257 /* AES-128 no df PR */
258 static const unsigned char aes_128_no_df_entropyinput[] =
259         {
260         0xbe,0x91,0xb9,0x09,0x91,0x13,0x0b,0xbd,0x7b,0x95,0x77,0xed,
261         0xf2,0x00,0xff,0x2a,0xec,0xbd,0x7a,0x11,0x59,0xe1,0x32,0x1a,
262         0xe3,0x9a,0xbd,0xa2,0xe4,0xd9,0x1a,0x39
263         };
264
265 static const unsigned char aes_128_no_df_nonce[] =
266         {
267         0x39,0xeb,0x7a,0x42,0x0b,0x7f,0x4f,0xd5
268         };
269
270 static const unsigned char aes_128_no_df_personalizationstring[] =
271         {
272         0xd0,0xe4,0x9c,0xf6,0x2f,0xc8,0xba,0x6d,0xb9,0x91,0x8f,0xc1,
273         0x45,0x5b,0xb9,0x4f,0xdb,0x36,0xd6,0x71,0x2c,0x4b,0x2a,0x4c,
274         0x50,0x4c,0x74,0xdb,0xc5,0x20,0x0b,0x3b
275         };
276
277 static const unsigned char aes_128_no_df_additionalinput[] =
278         {
279         0x7c,0x35,0x81,0x03,0x58,0x93,0x24,0xf7,0x9c,0x98,0x4a,0x9d,
280         0x94,0xbd,0x9d,0x77,0x64,0xda,0xa4,0x67,0x66,0xb7,0x43,0xde,
281         0xc5,0xd5,0x72,0x42,0x5a,0x7c,0x41,0x9f
282         };
283
284 static const unsigned char aes_128_no_df_entropyinputpr[] =
285         {
286         0x63,0xf6,0x0e,0xfe,0x56,0xad,0x8f,0x37,0xa8,0xa1,0x6a,0x83,
287         0x01,0xac,0x51,0xe0,0x86,0x26,0xce,0x5c,0x57,0x14,0xd8,0xde,
288         0x4d,0x93,0xb6,0x35,0xf4,0x85,0x18,0x60
289         };
290
291 static const unsigned char aes_128_no_df_additionalinput2[] =
292         {
293         0x90,0x0f,0x35,0x81,0xc5,0xf5,0xc8,0x1b,0x80,0x99,0xcd,0xe2,
294         0xbb,0xe2,0xc7,0x65,0x40,0x74,0x50,0x2b,0x89,0xb4,0x16,0x60,
295         0xd7,0x1e,0x15,0xbf,0x91,0xc9,0x15,0xc2
296         };
297
298 static const unsigned char aes_128_no_df_entropyinputpr2[] =
299         {
300         0xc7,0x9f,0xd6,0x9b,0xe2,0x74,0x3e,0x8c,0x12,0xdd,0x41,0xcd,
301         0x51,0x6b,0xd4,0x71,0x3e,0xd0,0x36,0xc7,0xb9,0xa6,0xaf,0xca,
302         0xc0,0x7e,0x89,0xc4,0x88,0x2b,0x4e,0x43
303         };
304
305 static const unsigned char aes_128_no_df_returnedbits[] =
306         {
307         0x8c,0x7f,0x69,0xbf,0xb8,0x07,0x17,0xa6,0x09,0xef,0xd2,0x0a,
308         0x5f,0x20,0x18,0x2f
309         };
310
311
312 /* AES-192 no df PR */
313 static const unsigned char aes_192_no_df_entropyinput[] =
314         {
315         0xd5,0xcb,0x5b,0xc5,0x5b,0xa6,0x97,0xb6,0x1e,0x57,0x92,0xbb,
316         0x14,0x72,0xeb,0xae,0x44,0x85,0x99,0xa3,0xa3,0x24,0xe5,0x91,
317         0x2e,0x34,0xa7,0x3f,0x48,0x7a,0xc4,0x72,0x54,0x65,0xe6,0x57,
318         0x94,0x1a,0x7c,0x2d
319         };
320
321 static const unsigned char aes_192_no_df_nonce[] =
322         {
323         0x74,0x7a,0x38,0x81,0xef,0xca,0xd1,0xb6,0x7b,0xb5,0x1e,0x62,
324         0xf9,0x80,0x2c,0xe5
325         };
326
327 static const unsigned char aes_192_no_df_personalizationstring[] =
328         {
329         0x03,0xf8,0xbe,0xe8,0x6a,0x90,0x2a,0x4f,0xbd,0x80,0xd0,0x31,
330         0xf0,0x59,0xa3,0xf6,0x87,0xd8,0x8d,0x0d,0xac,0x27,0xa2,0xd2,
331         0x91,0x72,0xa5,0xc1,0x07,0xac,0xbf,0xdb,0x5d,0xa1,0x7d,0x56,
332         0x7d,0x3f,0x09,0x8b
333         };
334
335 static const unsigned char aes_192_no_df_additionalinput[] =
336         {
337         0x3e,0x89,0x1b,0x17,0xcb,0xe3,0xc8,0x76,0x71,0x0d,0xaf,0x97,
338         0x1e,0x73,0xa6,0xc4,0x88,0x3d,0x46,0xad,0xf0,0xba,0xc3,0x7e,
339         0x17,0x10,0x0d,0x20,0x80,0x23,0x26,0xcc,0xe6,0xc4,0xc4,0xd8,
340         0xfe,0x1d,0x2a,0xbc
341         };
342
343 static const unsigned char aes_192_no_df_entropyinputpr[] =
344         {
345         0x3f,0x33,0xb8,0x1b,0xe1,0x1b,0xe7,0xbe,0x68,0x6f,0xd2,0xd8,
346         0x6f,0xb6,0xf0,0xd2,0xa1,0x1c,0x83,0x24,0xfe,0x5d,0xf2,0xe9,
347         0x4b,0xf0,0x63,0xa2,0xd8,0x76,0x9e,0x49,0x78,0x64,0x1f,0x98,
348         0xbc,0xee,0x7c,0x99
349         };
350
351 static const unsigned char aes_192_no_df_additionalinput2[] =
352         {
353         0x54,0x48,0xf9,0x6a,0x86,0x93,0xf3,0x7b,0x02,0x1b,0xf6,0x46,
354         0x3a,0x49,0x02,0x87,0x3f,0x54,0x82,0x7f,0xa1,0x45,0x41,0xa5,
355         0x88,0x4b,0xaa,0x90,0x12,0x40,0x46,0x22,0xed,0x7a,0x72,0xf7,
356         0x36,0xd5,0x5f,0x0f
357         };
358
359 static const unsigned char aes_192_no_df_entropyinputpr2[] =
360         {
361         0x00,0xdf,0xa1,0x50,0xc1,0xb9,0x82,0x7f,0x65,0xea,0x0f,0x14,
362         0x79,0xfe,0x6a,0x95,0x4b,0x96,0xae,0x89,0x28,0x52,0x49,0x05,
363         0xd9,0x00,0x9e,0x79,0x5e,0x04,0xdb,0xbb,0xec,0x09,0x16,0x53,
364         0x23,0xe9,0xac,0x08
365         };
366
367 static const unsigned char aes_192_no_df_returnedbits[] =
368         {
369         0x48,0xd6,0x66,0x61,0x93,0x8d,0xff,0x7d,0x42,0xf4,0x41,0x9a,
370         0x01,0x2a,0x34,0x09
371         };
372
373
374 /* AES-256 no df PR */
375 static const unsigned char aes_256_no_df_entropyinput[] =
376         {
377         0x7e,0x83,0x3f,0xa6,0x39,0xdc,0xcb,0x38,0x17,0x6a,0xa3,0x59,
378         0xa9,0x8c,0x1f,0x50,0xd3,0xdb,0x34,0xdd,0xa4,0x39,0x65,0xe4,
379         0x77,0x17,0x08,0x57,0x49,0x04,0xbd,0x68,0x5c,0x7d,0x2a,0xee,
380         0x0c,0xf2,0xfb,0x16,0xef,0x16,0x18,0x4d,0x32,0x6a,0x26,0x6c
381         };
382
383 static const unsigned char aes_256_no_df_nonce[] =
384         {
385         0xa3,0x8a,0xa4,0x6d,0xa6,0xc1,0x40,0xf8,0xa3,0x02,0xf1,0xac,
386         0xf3,0xea,0x7f,0x2d
387         };
388
389 static const unsigned char aes_256_no_df_personalizationstring[] =
390         {
391         0xc0,0x54,0x1e,0xa5,0x93,0xd9,0x8b,0x2b,0x43,0x15,0x2c,0x07,
392         0x26,0x25,0xc7,0x08,0xf0,0xb3,0x4b,0x44,0x96,0xfe,0xc7,0xc5,
393         0x64,0x27,0xaa,0x78,0x5b,0xbc,0x40,0x51,0xce,0x89,0x6b,0xc1,
394         0x3f,0x9c,0xa0,0x5c,0x75,0x98,0x24,0xc5,0xe1,0x3e,0x86,0xdb
395         };
396
397 static const unsigned char aes_256_no_df_additionalinput[] =
398         {
399         0x0e,0xe3,0x0f,0x07,0x90,0xe2,0xde,0x20,0xb6,0xf7,0x6f,0xef,
400         0x87,0xdc,0x7f,0xc4,0x0d,0x9d,0x05,0x31,0x91,0x87,0x8c,0x9a,
401         0x19,0x53,0xd2,0xf8,0x20,0x91,0xa0,0xef,0x97,0x59,0xea,0x12,
402         0x1b,0x2f,0x29,0x74,0x76,0x35,0xf7,0x71,0x5a,0x96,0xeb,0xbc
403         };
404
405 static const unsigned char aes_256_no_df_entropyinputpr[] =
406         {
407         0x37,0x26,0x9a,0xa6,0x28,0xe0,0x35,0x78,0x12,0x42,0x44,0x5c,
408         0x55,0xbc,0xc8,0xb6,0x1f,0x24,0xf3,0x32,0x88,0x02,0x69,0xa7,
409         0xed,0x1d,0xb7,0x4d,0x8b,0x44,0x12,0x21,0x5e,0x60,0x53,0x96,
410         0x3b,0xb9,0x31,0x7f,0x2a,0x87,0xbf,0x3c,0x07,0xbb,0x27,0x22
411         };
412
413 static const unsigned char aes_256_no_df_additionalinput2[] =
414         {
415         0xf1,0x24,0x35,0xa6,0x8c,0x93,0x28,0x7e,0x84,0xea,0x3d,0x27,
416         0x44,0x18,0xc9,0x13,0x73,0x49,0xb9,0x83,0x79,0x15,0x29,0x53,
417         0x2f,0xef,0x43,0x06,0xe7,0xcb,0x5c,0x0f,0x9f,0x10,0x4c,0x60,
418         0x7f,0xbf,0x0c,0x37,0x9b,0xe4,0x94,0x26,0xe5,0x3b,0xf5,0x63
419         };
420
421 static const unsigned char aes_256_no_df_entropyinputpr2[] =
422         {
423         0xdc,0x91,0x48,0x11,0x63,0x7b,0x79,0x41,0x36,0x8c,0x4f,0xe2,
424         0xc9,0x84,0x04,0x9c,0xdc,0x5b,0x6c,0x8d,0x61,0x52,0xea,0xfa,
425         0x92,0x3b,0xb4,0x36,0x4c,0x06,0x4a,0xd1,0xb1,0x8e,0x32,0x03,
426         0xfd,0xa4,0xf7,0x5a,0xa6,0x5c,0x63,0xa1,0xb9,0x96,0xfa,0x12
427         };
428
429 static const unsigned char aes_256_no_df_returnedbits[] =
430         {
431         0x1c,0xba,0xfd,0x48,0x0f,0xf4,0x85,0x63,0xd6,0x7d,0x91,0x14,
432         0xef,0x67,0x6b,0x7f
433         };
434
435 /* SHA-1 PR */
436 static const unsigned char sha1_entropyinput[] =
437         {
438         0x5b,0xaf,0x30,0x1a,0xdc,0xd1,0x04,0xd7,0x95,0x72,0xd2,0xfb,
439         0xec,0x2d,0x62,0x2b
440         };
441
442 static const unsigned char sha1_nonce[] =
443         {
444         0xf3,0xd9,0xcb,0x92,0x5f,0x50,0x4c,0x99
445         };
446
447 static const unsigned char sha1_personalizationstring[] =
448         {
449         0x8f,0x56,0x70,0xd9,0x27,0xa2,0xb4,0xf1,0xb3,0xad,0xcf,0x10,
450         0x06,0x16,0x5c,0x11
451         };
452
453 static const unsigned char sha1_additionalinput[] =
454         {
455         0x49,0xdd,0x0c,0xb4,0xab,0x84,0xe1,0x7e,0x94,0x20,0xad,0x6c,
456         0xd7,0xd2,0x0b,0x84
457         };
458
459 static const unsigned char sha1_entropyinputpr[] =
460         {
461         0x23,0x4a,0xaf,0xf7,0x1a,0x0b,0x7e,0x51,0xdd,0x23,0x51,0x82,
462         0x2c,0x8c,0xa6,0xc5
463         };
464
465 static const unsigned char sha1_additionalinput2[] =
466         {
467         0x59,0xe6,0x93,0xcb,0x38,0x23,0xf5,0x7b,0x93,0x5a,0x4d,0xfa,
468         0x11,0xb8,0x88,0xde
469         };
470
471 static const unsigned char sha1_entropyinputpr2[] =
472         {
473         0x2e,0x00,0x78,0x5a,0xcd,0x30,0xea,0x73,0x37,0x8a,0x0d,0x12,
474         0x50,0x28,0x28,0x03
475         };
476
477 static const unsigned char sha1_returnedbits[] =
478         {
479         0xe7,0x87,0x8b,0x01,0xc1,0xd3,0xd8,0x43,0xd4,0x8f,0xcd,0x24,
480         0x54,0x67,0xa2,0x6e,0x17,0x94,0x73,0x1c
481         };
482
483
484 /* SHA-224 PR */
485 static const unsigned char sha224_entropyinput[] =
486         {
487         0xfc,0x31,0xc1,0x87,0x43,0x07,0xb1,0xe5,0x71,0x48,0x5d,0x0e,
488         0xad,0xf8,0x68,0x09,0x6f,0xfe,0x80,0x2a,0xc1,0x12,0xb8,0xa6
489         };
490
491 static const unsigned char sha224_nonce[] =
492         {
493         0xfd,0xba,0x25,0x2e,0xc1,0x7c,0x4e,0xa1,0x4d,0xef,0xeb,0x5d
494         };
495
496 static const unsigned char sha224_personalizationstring[] =
497         {
498         0xc9,0x15,0xe4,0x8c,0x2a,0x4c,0xc9,0xe6,0x23,0x5c,0xb8,0x5a,
499         0x97,0x89,0x6a,0x10,0x75,0x68,0x27,0x00,0x0e,0x6f,0x44,0x1e
500         };
501
502 static const unsigned char sha224_additionalinput[] =
503         {
504         0xd3,0xab,0x74,0x74,0xe7,0x80,0x87,0x9e,0x89,0x08,0xbe,0xf1,
505         0x99,0x09,0x26,0xa4,0x2b,0x8c,0xb7,0xa0,0xc2,0xcc,0xae,0x0a
506         };
507
508 static const unsigned char sha224_entropyinputpr[] =
509         {
510         0xbd,0xc1,0x21,0x62,0x43,0x19,0x25,0x15,0x19,0xc5,0xcd,0x53,
511         0x9e,0xb4,0x17,0xff,0xaa,0x03,0xf6,0x5a,0x4d,0x69,0x28,0x0b
512         };
513
514 static const unsigned char sha224_additionalinput2[] =
515         {
516         0xdb,0xf5,0x57,0xea,0x5b,0xc8,0x0a,0xa9,0x32,0x72,0xcf,0x7d,
517         0xa4,0xeb,0x4f,0xbf,0x64,0x5d,0x74,0x04,0x0e,0x4e,0x0f,0xed
518         };
519
520 static const unsigned char sha224_entropyinputpr2[] =
521         {
522         0xab,0xce,0xe1,0xfd,0xaa,0x35,0x5c,0x0a,0xfe,0xd8,0x18,0xac,
523         0x92,0x79,0x79,0x53,0xbc,0xb5,0x45,0xf6,0xf9,0x73,0x7f,0x24
524         };
525
526 static const unsigned char sha224_returnedbits[] =
527         {
528         0xb2,0xc2,0x40,0xc4,0x2a,0x25,0x63,0xdb,0x99,0x59,0x7b,0x7b,
529         0xee,0xdb,0x51,0x8d,0x18,0x4c,0x09,0x26,0x22,0x1a,0xe9,0x76,
530         0x54,0x5f,0xb5,0x28
531         };
532
533
534 /* SHA-256 PR */
535 static const unsigned char sha256_entropyinput[] =
536         {
537         0xbc,0x67,0x4e,0x95,0xf1,0xca,0x71,0xdd,0xd3,0x97,0x3a,0x39,
538         0x3f,0x3d,0x7f,0xf2,0x99,0x02,0xcf,0x12,0x02,0xea,0xcc,0xf3,
539         0xd7,0xe7,0xcc,0x08,0x6c,0x41,0xb1,0xed
540         };
541
542 static const unsigned char sha256_nonce[] =
543         {
544         0x44,0x06,0xa7,0x61,0x15,0x0a,0x6a,0x2d,0xa9,0x18,0x10,0xb5,
545         0x6d,0xf0,0xd4,0xf7
546         };
547
548 static const unsigned char sha256_personalizationstring[] =
549         {
550         0x8f,0x39,0xd5,0x6a,0x46,0xde,0xa2,0x57,0xdf,0x39,0xdb,0xca,
551         0x13,0xca,0x51,0x0f,0x43,0x2a,0x77,0x3a,0x38,0x7a,0x3b,0x35,
552         0x1e,0x13,0x26,0x0e,0xc1,0x6b,0xb6,0x81
553         };
554
555 static const unsigned char sha256_additionalinput[] =
556         {
557         0x95,0x01,0xbe,0x52,0xaa,0xc4,0x32,0x5a,0x3c,0xea,0x57,0xc4,
558         0x5c,0xfa,0x25,0x4e,0xc5,0xf3,0xc2,0xa6,0x39,0xce,0x00,0x97,
559         0x19,0x50,0x17,0x71,0x44,0x13,0xa5,0xbd
560         };
561
562 static const unsigned char sha256_entropyinputpr[] =
563         {
564         0x8e,0x8a,0x19,0x03,0xa7,0x77,0xaa,0x64,0x4f,0x11,0x45,0x1d,
565         0x66,0x74,0x88,0xdf,0x2c,0x9b,0xc3,0xc8,0xbb,0x8c,0x99,0x34,
566         0xc6,0xc7,0xdb,0xc1,0x92,0xef,0xa3,0xa3
567         };
568
569 static const unsigned char sha256_additionalinput2[] =
570         {
571         0x2b,0x91,0x7f,0xf3,0x78,0x3f,0x18,0x73,0x7c,0x5f,0xc2,0xda,
572         0x1d,0x8c,0xc4,0xcd,0x74,0x4d,0xc1,0x7a,0x6c,0xe2,0x73,0x07,
573         0x9d,0x55,0xa8,0x42,0x69,0xc0,0x7c,0x85
574         };
575
576 static const unsigned char sha256_entropyinputpr2[] =
577         {
578         0x4c,0x3f,0xee,0x8b,0x98,0x0e,0x55,0x7e,0xab,0xc3,0xd3,0x0e,
579         0x35,0x33,0x72,0x75,0x9f,0x4b,0x87,0xce,0x05,0xbe,0xd4,0x6b,
580         0x70,0xec,0xdb,0x5a,0x57,0x14,0x83,0x34
581         };
582
583 static const unsigned char sha256_returnedbits[] =
584         {
585         0xa5,0x2c,0xab,0x93,0x63,0x57,0x5d,0x60,0x80,0x4c,0x71,0xbb,
586         0xc2,0x3d,0x43,0x13,0xd8,0xe1,0x60,0x63,0x5e,0xf8,0xb1,0x4c,
587         0x93,0x06,0x86,0x9e,0x03,0x0a,0x16,0x75
588         };
589
590
591 /* SHA-384 PR */
592 static const unsigned char sha384_entropyinput[] =
593         {
594         0xad,0x6c,0xfb,0xdd,0x40,0xd9,0xf1,0x0a,0xc6,0xe4,0x28,0xf9,
595         0x8c,0xb1,0x66,0xce,0x7e,0x7f,0xbb,0xea,0xcd,0x79,0x3d,0x54,
596         0xc6,0xc0,0x07,0x68,0xf0,0xb7,0x73,0xc5
597         };
598
599 static const unsigned char sha384_nonce[] =
600         {
601         0xfb,0xe1,0xb2,0x81,0x77,0xb0,0x14,0x94,0xae,0xbb,0x8d,0x01,
602         0xfb,0x74,0xc9,0xa1
603         };
604
605 static const unsigned char sha384_personalizationstring[] =
606         {
607         0x02,0x8e,0xa9,0xc2,0x7e,0x0e,0x78,0xea,0x29,0xca,0x19,0xd4,
608         0x58,0x89,0x71,0x45,0x18,0xd9,0x1f,0xc0,0x8f,0x92,0x02,0xb8,
609         0x90,0xa7,0xec,0xf6,0x7f,0x33,0xa6,0x47
610         };
611
612 static const unsigned char sha384_additionalinput[] =
613         {
614         0x98,0x0e,0xe3,0x3c,0x8e,0x6b,0x82,0xc0,0x56,0xd0,0x93,0x14,
615         0x6a,0x79,0xa8,0xec,0x09,0xb7,0x49,0x01,0x71,0xdb,0x58,0x97,
616         0x5a,0x61,0xa5,0x4e,0xb4,0x5f,0xce,0x2b
617         };
618
619 static const unsigned char sha384_entropyinputpr[] =
620         {
621         0x50,0xef,0xaa,0x65,0x95,0x0d,0x4f,0x97,0x3e,0x57,0x59,0x48,
622         0xf9,0x4e,0xee,0x51,0xf8,0x46,0xec,0x4c,0x2d,0x55,0x47,0x23,
623         0xc5,0x7b,0xa3,0xda,0xe5,0x12,0x34,0x9a
624         };
625
626 static const unsigned char sha384_additionalinput2[] =
627         {
628         0x1c,0xcd,0xe0,0xc1,0x15,0xd4,0x7f,0xfa,0x9e,0x16,0xe7,0x6d,
629         0x22,0x55,0xfd,0x34,0x3f,0xec,0x1d,0x40,0x9e,0xdd,0x15,0x07,
630         0x13,0x1c,0x65,0x6e,0xf7,0x1c,0xb6,0xf8
631         };
632
633 static const unsigned char sha384_entropyinputpr2[] =
634         {
635         0xa0,0x8b,0x48,0xdc,0x7b,0x74,0x54,0xd0,0x0a,0x10,0x0e,0xc9,
636         0xf2,0xe0,0xf0,0x30,0x38,0xf5,0x46,0x27,0xf4,0x54,0x06,0x95,
637         0x56,0xab,0xf4,0x74,0xd8,0x34,0xf5,0x5d
638         };
639
640 static const unsigned char sha384_returnedbits[] =
641         {
642         0x03,0x54,0x62,0xaa,0x5c,0x61,0x28,0xfc,0x96,0x04,0xd6,0x4f,
643         0x50,0x5c,0x9e,0x7c,0x9e,0x1d,0x41,0x76,0x41,0xa0,0x60,0x70,
644         0x62,0x4f,0x42,0x1a,0x69,0xce,0x30,0xc4,0xf7,0x89,0xc8,0x93,
645         0xed,0xe9,0x42,0xf4,0x59,0x55,0x7c,0x6c,0xd3,0x4e,0xff,0x05
646         };
647
648
649 /* SHA-512 PR */
650 static const unsigned char sha512_entropyinput[] =
651         {
652         0x22,0xb1,0x72,0xe3,0xc4,0x87,0xe7,0x76,0x4e,0x85,0xb5,0xca,
653         0x86,0x4f,0x21,0x2b,0x4f,0x29,0x8e,0x8a,0xfc,0x88,0xfc,0xa1,
654         0xf6,0xd7,0xc1,0x63,0x90,0x8d,0x85,0xa9
655         };
656
657 static const unsigned char sha512_nonce[] =
658         {
659         0xcc,0x8b,0x86,0x21,0xa7,0xbe,0xd3,0xe1,0xde,0xd2,0x47,0xfc,
660         0x9c,0x4a,0xdb,0x85
661         };
662
663 static const unsigned char sha512_personalizationstring[] =
664         {
665         0xb7,0x7c,0xb3,0x4f,0xf8,0xcd,0x19,0x89,0xdb,0x0c,0xcf,0xc9,
666         0xce,0xcd,0x48,0xcd,0x62,0x9c,0x51,0x38,0x85,0xe4,0x6c,0x17,
667         0x02,0x1b,0x6b,0xb5,0x3c,0x31,0x4f,0xa1
668         };
669
670 static const unsigned char sha512_additionalinput[] =
671         {
672         0x69,0x3f,0xcf,0xf5,0x38,0x09,0x0d,0x3c,0xfb,0xea,0x94,0xa6,
673         0xf3,0xdc,0xb3,0xa8,0xcb,0x61,0x3b,0x8d,0x8e,0x31,0x94,0xc2,
674         0xe8,0x20,0x1c,0x62,0xa0,0x54,0xc2,0x03
675         };
676
677 static const unsigned char sha512_entropyinputpr[] =
678         {
679         0xa0,0xcf,0x6f,0x0f,0x55,0x88,0x84,0xad,0x8d,0x2e,0x08,0x91,
680         0x8a,0x65,0xc0,0xb4,0xc9,0xbe,0x21,0x29,0xbe,0x23,0x2d,0x2b,
681         0xd1,0x81,0x90,0x66,0x97,0xb6,0xfa,0x84
682         };
683
684 static const unsigned char sha512_additionalinput2[] =
685         {
686         0x1f,0x5e,0x49,0xb5,0xa3,0xfa,0xe8,0x89,0xc5,0x1b,0x39,0x2b,
687         0x9e,0xc7,0x36,0x85,0x5b,0xa9,0x9f,0x91,0x79,0xfe,0x5c,0xe6,
688         0x41,0xbe,0x14,0x87,0x81,0x08,0x0d,0xee
689         };
690 /* NB: not constant so we can corrupt it */
691 static unsigned char sha512_entropyinputpr2[] =
692         {
693         0xed,0x22,0x42,0x61,0xa7,0x4c,0xed,0xc7,0x10,0x82,0x61,0x17,
694         0xaa,0x7d,0xdb,0x4e,0x1c,0x96,0x61,0x23,0xcd,0x8f,0x84,0x77,
695         0xc3,0xa2,0x55,0xff,0xbb,0xc9,0xa6,0x2f
696         };
697
698 static const unsigned char sha512_returnedbits[] =
699         {
700         0x79,0x60,0x41,0xaa,0x6c,0xdd,0x17,0x28,0xc0,0x4d,0xc0,0x17,
701         0xc0,0x66,0x46,0x67,0x0d,0x20,0xe2,0x67,0x96,0xd5,0x2a,0xf4,
702         0x58,0x0a,0x06,0xab,0xc1,0x4c,0x70,0xc1,0xb8,0x9d,0x68,0x79,
703         0x28,0x07,0x38,0x4a,0xc3,0xec,0x3b,0x19,0x02,0xe7,0x13,0x82,
704         0x8f,0xc3,0xed,0x59,0x88,0xdd,0x88,0xaf,0xac,0xf0,0x57,0x6c,
705         0x14,0x0b,0x50,0x11
706         };
707
708
709
710 static DRBG_SELFTEST_DATA drbg_test[] = {
711         make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df),
712         make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df),
713         make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df),
714         make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df),
715         make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df),
716         make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df),
717         make_drbg_test_data(NID_sha1, 0, sha1),
718         make_drbg_test_data(NID_sha224, 0, sha224),
719         make_drbg_test_data(NID_sha256, 0, sha256),
720         make_drbg_test_data(NID_sha384, 0, sha384),
721         make_drbg_test_data(NID_sha512, 0, sha512),
722         {0,0,0}
723         };
724
725 typedef struct 
726         {
727         const unsigned char *ent;
728         size_t entlen;
729         int entcnt;
730         const unsigned char *nonce;
731         size_t noncelen;
732         int noncecnt;
733         } TEST_ENT;
734
735 static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
736                                 int entropy, size_t min_len, size_t max_len)
737         {
738         TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
739         *pout = (unsigned char *)t->ent;
740         t->entcnt++;
741         return t->entlen;
742         }
743
744 static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
745                                 int entropy, size_t min_len, size_t max_len)
746         {
747         TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
748         *pout = (unsigned char *)t->nonce;
749         t->noncecnt++;
750         return t->noncelen;
751         }
752
753 void FIPS_corrupt_drbg(void)
754         {
755         sha512_entropyinputpr2[0]++;
756         }
757
758 static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
759         {
760         TEST_ENT t;
761         int rv = 0;
762         unsigned char randout[1024];
763         if (!FIPS_drbg_init(dctx, td->nid, td->flags))
764                 return 0;
765         if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, test_nonce, 0))
766                 return 0;
767
768         FIPS_drbg_set_app_data(dctx, &t);
769
770         t.ent = td->ent;
771         t.entlen = td->entlen;
772         t.nonce = td->nonce;
773         t.noncelen = td->noncelen;
774         t.entcnt = 0;
775         t.noncecnt = 0;
776
777         if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
778                 goto err;
779
780         t.ent = td->entpr;
781         t.entlen = td->entprlen;
782
783         if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
784                                 td->adin, td->adinlen))
785                 goto err;
786
787         t.ent = td->entg;
788         t.entlen = td->entglen;
789
790         if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
791                                 td->ading, td->adinglen))
792                 goto err;
793
794         if (memcmp(randout, td->kat, td->katlen))
795                 goto err;
796
797         rv = 1;
798
799         err:
800         FIPS_drbg_uninstantiate(dctx);
801         
802         return rv;
803         }
804
805 /* This is the "health check" function required by SP800-90. Induce several
806  * failure modes and check an error condition is set.
807  */
808
809 static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
810         {
811         unsigned char randout[1024];
812         TEST_ENT t;
813         size_t i;
814         unsigned char *p = (unsigned char *)dctx;
815
816         /* Initialise DRBG */
817
818         if (!FIPS_drbg_init(dctx, td->nid, td->flags))
819                 goto err;
820
821         if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, test_nonce, 0))
822                 goto err;
823
824         FIPS_drbg_set_app_data(dctx, &t);
825
826         t.ent = td->ent;
827         t.entlen = td->entlen;
828         t.nonce = td->nonce;
829         t.noncelen = td->noncelen;
830         t.entcnt = 0;
831         t.noncecnt = 0;
832
833         /* Don't report induced errors */
834         dctx->flags |= DRBG_FLAG_NOERR;
835
836         /* Try too large a personalisation length */
837         if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0)
838                 {
839                 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
840                 goto err;
841                 }
842
843         /* Test entropy source failure detection */
844
845         t.entlen = 0;
846         if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
847                 {
848                 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
849                 goto err;
850                 }
851
852         /* Try to generate output from uninstantiated DRBG */
853         if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
854                                 td->adin, td->adinlen))
855                 {
856                 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_GENERATE_ERROR_UNDETECTED);
857                 goto err;
858                 }
859
860         /* Instantiate with valid data. NB: errors now reported again */
861         if (!FIPS_drbg_init(dctx, td->nid, td->flags))
862                 goto err;
863         if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, test_nonce, 0))
864                 goto err;
865         FIPS_drbg_set_app_data(dctx, &t);
866
867         t.entlen = td->entlen;
868         if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
869                 goto err;
870
871         /* Check generation is now OK */
872         if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
873                                 td->adin, td->adinlen))
874                 goto err;
875
876         /* Try to generate with too high a strength.
877          */
878
879         dctx->flags |= DRBG_FLAG_NOERR;
880         if (dctx->strength != 256)
881                 {
882                 if (FIPS_drbg_generate(dctx, randout, td->katlen, 256, 0,
883                                         td->adin, td->adinlen))
884                         {
885                         FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_STRENGTH_ERROR_UNDETECTED);
886
887                         goto err;
888                         }
889                 }
890
891         /* Request too much data for one request */
892         if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, 0,
893                                 td->adin, td->adinlen))
894                 {
895                 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
896                 goto err;
897                 }
898
899         /* Check prediction resistance request fails if entropy source
900          * failure.
901          */
902
903         t.entlen = 0;
904
905         if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
906                                 td->adin, td->adinlen))
907                 {
908                 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
909                 goto err;
910                 }
911                 
912
913         /* Instantiate again with valid data */
914
915         if (!FIPS_drbg_init(dctx, td->nid, td->flags))
916                 goto err;
917         if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, test_nonce, 0))
918                 goto err;
919         FIPS_drbg_set_app_data(dctx, &t);
920
921         t.entlen = td->entlen;
922         /* Test reseeding works */
923         dctx->reseed_interval = 2;
924         if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
925                 goto err;
926
927         /* Check generation is now OK */
928         if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
929                                 td->adin, td->adinlen))
930                 goto err;
931         if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
932                                 td->adin, td->adinlen))
933                 goto err;
934
935         /* DRBG should now require a reseed */
936         if (dctx->status != DRBG_STATUS_RESEED)
937                 {
938                 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
939                 goto err;
940                 }
941
942
943         /* Generate again and check entropy has been requested for reseed */
944         t.entcnt = 0;
945         if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
946                                 td->adin, td->adinlen))
947                 goto err;
948         if (t.entcnt != 1)
949                 {
950                 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
951                 goto err;
952                 }
953
954         FIPS_drbg_uninstantiate(dctx);
955         p = (unsigned char *)dctx;
956         /* Standard says we have to check uninstantiate really zeroes
957          * the data...
958          */
959         for (i = 0; i < sizeof(DRBG_CTX); i++)
960                 {
961                 if (*p != 0)
962                         {
963                         FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
964                         goto err;
965                         }
966                 p++;
967                 }
968
969         return 1;
970
971         err:
972         /* A real error as opposed to an induced one: underlying function will
973          * indicate the error.
974          */
975         if (!(dctx->flags & DRBG_FLAG_NOERR))
976                 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_FUNCTION_ERROR);
977         FIPS_drbg_uninstantiate(dctx);
978         return 0;
979
980         }
981                 
982
983 int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
984         {
985         int rv;
986         DRBG_SELFTEST_DATA *td;
987         for (td = drbg_test; td->nid != 0; td++)
988                 {
989                 if (td->nid == nid && td->flags == flags)
990                         {
991                         rv = fips_drbg_single_kat(dctx, td);
992                         if (rv <= 0)
993                                 return rv;
994                         return fips_drbg_health_check(dctx, td);
995                         }
996                 }
997         return 0;
998         }
999
1000 int FIPS_selftest_drbg(void)
1001         {
1002         DRBG_CTX *dctx;
1003         DRBG_SELFTEST_DATA *td;
1004         dctx = FIPS_drbg_new(0, 0);
1005         if (!dctx)
1006                 return 0;
1007         for (td = drbg_test; td->nid != 0; td++)
1008                 {
1009                 if (!fips_drbg_single_kat(dctx, td))
1010                         break;
1011                 if (!fips_drbg_health_check(dctx, td))
1012                         break;
1013                 }
1014         FIPS_drbg_free(dctx);
1015         if (td->nid == 0)
1016                 return 1;
1017         return 0;
1018         }
1019
1020
1021
1022