Add DRBG random method
authorRich Salz <rsalz@openssl.org>
Tue, 27 Jun 2017 16:04:37 +0000 (12:04 -0400)
committerRich Salz <rsalz@openssl.org>
Wed, 19 Jul 2017 07:25:16 +0000 (03:25 -0400)
Ported from the last FIPS release, with DUAL_EC and SHA1 and the
self-tests removed.  Since only AES-CTR is supported, other code
simplifications were done.  Removed the "entropy blocklen" concept.

Moved internal functions to new include/internal/rand.h.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3789)

19 files changed:
crypto/err/openssl.txt
crypto/rand/build.info
crypto/rand/drbg_lib.c [new file with mode: 0644]
crypto/rand/drbg_rand.c [new file with mode: 0644]
crypto/rand/ossl_rand.c
crypto/rand/rand_err.c
crypto/rand/rand_lcl.h
crypto/rand/rand_lib.c
include/internal/rand.h [new file with mode: 0644]
include/openssl/crypto.h
include/openssl/ossl_typ.h
include/openssl/rand.h
include/openssl/randerr.h
test/build.info
test/drbgtest.c [new file with mode: 0644]
test/drbgtest.h [new file with mode: 0644]
test/recipes/05-test_rand.t
util/libcrypto.num
util/mkdef.pl

index f842870..d8fcb9a 100644 (file)
@@ -860,9 +860,17 @@ PKCS7_F_PKCS7_SIGNER_INFO_SIGN:139:PKCS7_SIGNER_INFO_sign
 PKCS7_F_PKCS7_SIGN_ADD_SIGNER:137:PKCS7_sign_add_signer
 PKCS7_F_PKCS7_SIMPLE_SMIMECAP:119:PKCS7_simple_smimecap
 PKCS7_F_PKCS7_VERIFY:117:PKCS7_verify
+RAND_F_DRBG_BYTES:101:drbg_bytes
+RAND_F_DRBG_GET_ENTROPY:105:drbg_get_entropy
+RAND_F_GET_ENTROPY:106:get_entropy
 RAND_F_RAND_BYTES:100:RAND_bytes
-RAND_F_RAND_LOAD_FILE:101:RAND_load_file
-RAND_F_RAND_WRITE_FILE:102:RAND_write_file
+RAND_F_RAND_DRBG_GENERATE:107:RAND_DRBG_generate
+RAND_F_RAND_DRBG_INSTANTIATE:108:RAND_DRBG_instantiate
+RAND_F_RAND_DRBG_NEW:109:RAND_DRBG_new
+RAND_F_RAND_DRBG_RESEED:110:RAND_DRBG_reseed
+RAND_F_RAND_DRBG_SET:104:RAND_DRBG_set
+RAND_F_RAND_LOAD_FILE:111:RAND_load_file
+RAND_F_RAND_WRITE_FILE:112:RAND_write_file
 RSA_F_CHECK_PADDING_MD:140:check_padding_md
 RSA_F_ENCODE_PKCS1:146:encode_pkcs1
 RSA_F_INT_RSA_VERIFY:145:int_rsa_verify
@@ -2098,11 +2106,28 @@ PKCS7_R_UNSUPPORTED_CIPHER_TYPE:111:unsupported cipher type
 PKCS7_R_UNSUPPORTED_CONTENT_TYPE:112:unsupported content type
 PKCS7_R_WRONG_CONTENT_TYPE:113:wrong content type
 PKCS7_R_WRONG_PKCS7_TYPE:114:wrong pkcs7 type
-RAND_R_CANNOT_OPEN_FILE:102:Cannot open file
+RAND_R_ADDITIONAL_INPUT_TOO_LONG:102:additional input too long
+RAND_R_ALREADY_INSTANTIATED:103:already instantiated
+RAND_R_CANNOT_OPEN_FILE:121:Cannot open file
+RAND_R_DRBG_NOT_INITIALISED:104:drbg not initialised
+RAND_R_ERROR_INITIALISING_DRBG:107:error initialising drbg
+RAND_R_ERROR_INSTANTIATING_DRBG:108:error instantiating drbg
+RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT:109:error retrieving additional input
+RAND_R_ERROR_RETRIEVING_ENTROPY:110:error retrieving entropy
+RAND_R_ERROR_RETRIEVING_NONCE:111:error retrieving nonce
 RAND_R_FUNC_NOT_IMPLEMENTED:101:Function not implemented
-RAND_R_FWRITE_ERROR:103:Error writing file
-RAND_R_NOT_A_REGULAR_FILE:104:Not a regular file
+RAND_R_FWRITE_ERROR:123:Error writing file
+RAND_R_GENERATE_ERROR:112:generate error
+RAND_R_INTERNAL_ERROR:113:internal error
+RAND_R_IN_ERROR_STATE:114:in error state
+RAND_R_NOT_A_REGULAR_FILE:122:Not a regular file
+RAND_R_NOT_INSTANTIATED:115:not instantiated
+RAND_R_PERSONALISATION_STRING_TOO_LONG:116:personalisation string too long
 RAND_R_PRNG_NOT_SEEDED:100:PRNG not seeded
+RAND_R_REQUEST_TOO_LARGE_FOR_DRBG:117:request too large for drbg
+RAND_R_RESEED_ERROR:118:reseed error
+RAND_R_SELFTEST_FAILURE:119:selftest failure
+RAND_R_UNSUPPORTED_DRBG_TYPE:120:unsupported drbg type
 RSA_R_ALGORITHM_MISMATCH:100:algorithm mismatch
 RSA_R_BAD_E_VALUE:101:bad e value
 RSA_R_BAD_FIXED_HEADER_DECRYPT:102:bad fixed header decrypt
index 9e0a90b..f011d78 100644 (file)
@@ -1,4 +1,4 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]=\
         ossl_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c \
-        rand_win.c rand_unix.c rand_vms.c
+        rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_rand.c
diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c
new file mode 100644 (file)
index 0000000..b9161ab
--- /dev/null
@@ -0,0 +1,349 @@
+/*
+ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include "rand_lcl.h"
+
+/*
+ * Support framework for NIST SP 800-90A DRBG, AES-CTR mode.
+ */
+
+/*
+ * Get entropy from the existing callback.  This is mainly used for KATs.
+ */
+static size_t get_entropy(DRBG_CTX *dctx, unsigned char **pout,
+                          int entropy, size_t min_len, size_t max_len)
+{
+    if (dctx->get_entropy != NULL)
+        return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
+    /* TODO: Get from parent if it exists. */
+    return 0;
+}
+
+/*
+ * Cleanup entropy.
+ */
+static void cleanup_entropy(DRBG_CTX *dctx, unsigned char *out, size_t olen)
+{
+    if (dctx->cleanup_entropy != NULL)
+        dctx->cleanup_entropy(dctx, out, olen);
+}
+
+/*
+ * The OpenSSL model is to have new and free functions, and that new
+ * does all initialization.  That is not the NIST model, which has
+ * instantiation and un-instantiate, and re-use within a new/free
+ * lifecycle.  (No doubt this comes from the desire to support hardware
+ * DRBG, where allocation of resources on something like an HSM is
+ * a much bigger deal than just re-setting an allocated resource.)
+ *
+ * The DRBG_CTX is OpenSSL's opaque pointer to an instance of the
+ * DRBG.
+ */
+
+/*
+ * Set/initialize |dctx| to be of type |nid|, with optional |flags|.
+ * Return -2 if the type is not supported, 1 on success and -1 on
+ * failure.
+ */
+int RAND_DRBG_set(DRBG_CTX *dctx, int nid, unsigned int flags)
+{
+    int ret = 1;
+
+    dctx->status = DRBG_STATUS_UNINITIALISED;
+    dctx->flags = flags;
+    dctx->nid = nid;
+
+    switch (nid) {
+    default:
+        RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
+        return -2;
+    case 0:
+        /* Uninitialized; that's okay. */
+        return 1;
+    case NID_aes_128_ctr:
+    case NID_aes_192_ctr:
+    case NID_aes_256_ctr:
+        ret = ctr_init(dctx);
+        break;
+    }
+
+    if (ret < 0)
+        RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG);
+    return ret;
+}
+
+/*
+ * Allocate memory and initialize a new DRBG.  The |parent|, if not
+ * NULL, will be used to auto-seed this DRBG_CTX as needed.
+ */
+DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent)
+{
+    DRBG_CTX *dctx = OPENSSL_zalloc(sizeof(*dctx));
+
+    if (dctx == NULL) {
+        RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+
+    dctx->parent = parent;
+    if (RAND_DRBG_set(dctx, type, flags) < 0) {
+        OPENSSL_free(dctx);
+        return NULL;
+    }
+    return dctx;
+}
+
+/*
+ * Uninstantiate |dctx| and free all memory.
+ */
+void RAND_DRBG_free(DRBG_CTX *dctx)
+{
+    if (dctx == NULL)
+        return;
+
+    ctr_uninstantiate(dctx);
+    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, dctx, &dctx->ex_data);
+
+    /* Don't free up default DRBG */
+    if (dctx == RAND_DRBG_get_default()) {
+        memset(dctx, 0, sizeof(DRBG_CTX));
+        dctx->nid = 0;
+        dctx->status = DRBG_STATUS_UNINITIALISED;
+    } else {
+        OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr));
+        OPENSSL_free(dctx);
+    }
+}
+
+/*
+ * Instantiate |dctx|, after it has been initialized.  Use |pers| and
+ * |perslen| as prediction-resistance input.
+ */
+int RAND_DRBG_instantiate(DRBG_CTX *dctx,
+                          const unsigned char *pers, size_t perslen)
+{
+    size_t entlen = 0, noncelen = 0;
+    unsigned char *nonce = NULL, *entropy = NULL;
+    int r = 0;
+
+    if (perslen > dctx->max_pers) {
+        r = RAND_R_PERSONALISATION_STRING_TOO_LONG;
+        goto end;
+    }
+    if (dctx->status != DRBG_STATUS_UNINITIALISED) {
+        r = dctx->status == DRBG_STATUS_ERROR ? RAND_R_IN_ERROR_STATE
+                                              : RAND_R_ALREADY_INSTANTIATED;
+        goto end;
+    }
+
+    dctx->status = DRBG_STATUS_ERROR;
+    entlen = get_entropy(dctx, &entropy, dctx->strength,
+                         dctx->min_entropy, dctx->max_entropy);
+    if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
+        r = RAND_R_ERROR_RETRIEVING_ENTROPY;
+        goto end;
+    }
+
+    if (dctx->max_nonce > 0 && dctx->get_nonce != NULL) {
+        noncelen = dctx->get_nonce(dctx, &nonce,
+                                   dctx->strength / 2,
+                                   dctx->min_nonce, dctx->max_nonce);
+
+        if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
+            r = RAND_R_ERROR_RETRIEVING_NONCE;
+            goto end;
+        }
+    }
+
+    if (!ctr_instantiate(dctx, entropy, entlen,
+                         nonce, noncelen, pers, perslen)) {
+        r = RAND_R_ERROR_INSTANTIATING_DRBG;
+        goto end;
+    }
+
+    dctx->status = DRBG_STATUS_READY;
+    dctx->reseed_counter = 1;
+
+end:
+    if (entropy != NULL && dctx->cleanup_entropy != NULL)
+        dctx->cleanup_entropy(dctx, entropy, entlen);
+    if (nonce != NULL && dctx->cleanup_nonce!= NULL )
+        dctx->cleanup_nonce(dctx, nonce, noncelen);
+    if (dctx->status == DRBG_STATUS_READY)
+        return 1;
+
+    if (r)
+        RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, r);
+    return 0;
+}
+
+/*
+ * Uninstantiate |dctx|. Must be instantiated before it can be used.
+ */
+int RAND_DRBG_uninstantiate(DRBG_CTX *dctx)
+{
+    int ret = ctr_uninstantiate(dctx);
+
+    OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr));
+    dctx->status = DRBG_STATUS_UNINITIALISED;
+    return ret;
+}
+
+/*
+ * Mix in the specified data to reseed |dctx|.
+ */
+int RAND_DRBG_reseed(DRBG_CTX *dctx,
+                     const unsigned char *adin, size_t adinlen)
+{
+    unsigned char *entropy = NULL;
+    size_t entlen = 0;
+    int r = 0;
+
+    if (dctx->status != DRBG_STATUS_READY
+            && dctx->status != DRBG_STATUS_RESEED) {
+        if (dctx->status == DRBG_STATUS_ERROR)
+            r = RAND_R_IN_ERROR_STATE;
+        else if (dctx->status == DRBG_STATUS_UNINITIALISED)
+            r = RAND_R_NOT_INSTANTIATED;
+        goto end;
+    }
+
+    if (adin == NULL)
+        adinlen = 0;
+    else if (adinlen > dctx->max_adin) {
+        r = RAND_R_ADDITIONAL_INPUT_TOO_LONG;
+        goto end;
+    }
+
+    dctx->status = DRBG_STATUS_ERROR;
+    entlen = get_entropy(dctx, &entropy, dctx->strength,
+                         dctx->min_entropy, dctx->max_entropy);
+
+    if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
+        r = RAND_R_ERROR_RETRIEVING_ENTROPY;
+        goto end;
+    }
+
+    if (!ctr_reseed(dctx, entropy, entlen, adin, adinlen))
+        goto end;
+    dctx->status = DRBG_STATUS_READY;
+    dctx->reseed_counter = 1;
+
+end:
+    if (entropy != NULL && dctx->cleanup_entropy != NULL)
+        cleanup_entropy(dctx, entropy, entlen);
+    if (dctx->status == DRBG_STATUS_READY)
+        return 1;
+    if (r)
+        RANDerr(RAND_F_RAND_DRBG_RESEED, r);
+
+    return 0;
+}
+
+/*
+ * Generate |outlen| bytes into the buffer at |out|.  Reseed if we need
+ * to or if |prediction_resistance| is set.  Additional input can be
+ * sent in |adin| and |adinlen|.
+ */
+int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
+                       int prediction_resistance,
+                       const unsigned char *adin, size_t adinlen)
+{
+    int r = 0;
+
+    if (dctx->status != DRBG_STATUS_READY
+            && dctx->status != DRBG_STATUS_RESEED) {
+        if (dctx->status == DRBG_STATUS_ERROR)
+            r = RAND_R_IN_ERROR_STATE;
+        else if(dctx->status == DRBG_STATUS_UNINITIALISED)
+            r = RAND_R_NOT_INSTANTIATED;
+        goto end;
+    }
+
+    if (outlen > dctx->max_request) {
+        r = RAND_R_REQUEST_TOO_LARGE_FOR_DRBG;
+        return 0;
+    }
+    if (adinlen > dctx->max_adin) {
+        r = RAND_R_ADDITIONAL_INPUT_TOO_LONG;
+        goto end;
+    }
+
+    if (dctx->reseed_counter >= dctx->reseed_interval)
+        dctx->status = DRBG_STATUS_RESEED;
+
+    if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
+        if (!RAND_DRBG_reseed(dctx, adin, adinlen)) {
+            r = RAND_R_RESEED_ERROR;
+            goto end;
+        }
+        adin = NULL;
+        adinlen = 0;
+    }
+
+    if (!ctr_generate(dctx, out, outlen, adin, adinlen)) {
+        r = RAND_R_GENERATE_ERROR;
+        dctx->status = DRBG_STATUS_ERROR;
+        goto end;
+    }
+    if (dctx->reseed_counter >= dctx->reseed_interval)
+        dctx->status = DRBG_STATUS_RESEED;
+    else
+        dctx->reseed_counter++;
+    return 1;
+
+end:
+    RANDerr(RAND_F_RAND_DRBG_GENERATE, r);
+    return 0;
+}
+
+/*
+ * Set the callbacks for entropy and nonce.  Used mainly for the KATs
+ */
+int RAND_DRBG_set_callbacks(DRBG_CTX *dctx,
+    size_t (*cb_get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
+                             int entropy, size_t min_len, size_t max_len),
+    void (*cb_cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
+    size_t (*cb_get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
+                           int entropy, size_t min_len, size_t max_len),
+    void (*cb_cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
+{
+    if (dctx->status != DRBG_STATUS_UNINITIALISED)
+        return 0;
+    dctx->get_entropy = cb_get_entropy;
+    dctx->cleanup_entropy = cb_cleanup_entropy;
+    dctx->get_nonce = cb_get_nonce;
+    dctx->cleanup_nonce = cb_cleanup_nonce;
+    return 1;
+}
+
+/*
+ * Set the reseed internal. Used mainly for the KATs.
+ */
+void RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval)
+{
+    dctx->reseed_interval = interval;
+}
+
+/*
+ * Get and set the EXDATA
+ */
+int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg)
+{
+    return CRYPTO_set_ex_data(&dctx->ex_data, idx, arg);
+}
+
+void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx)
+{
+    return CRYPTO_get_ex_data(&dctx->ex_data, idx);
+}
diff --git a/crypto/rand/drbg_rand.c b/crypto/rand/drbg_rand.c
new file mode 100644 (file)
index 0000000..858f74a
--- /dev/null
@@ -0,0 +1,449 @@
+/*
+ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include "rand_lcl.h"
+#include "internal/thread_once.h"
+
+/*
+ * Mapping of NIST SP 800-90A DRBG to OpenSSL RAND_METHOD.
+ */
+
+
+/*
+ * The default global DRBG and its auto-init/auto-cleanup.
+ */
+static DRBG_CTX ossl_drbg;
+
+static CRYPTO_ONCE ossl_drbg_init = CRYPTO_ONCE_STATIC_INIT;
+
+DEFINE_RUN_ONCE_STATIC(do_ossl_drbg_init)
+{
+    ossl_drbg.lock = CRYPTO_THREAD_lock_new();
+    return ossl_drbg.lock != NULL;
+}
+
+void rand_drbg_cleanup(void)
+{
+    CRYPTO_THREAD_lock_free(ossl_drbg.lock);
+}
+
+static void inc_128(DRBG_CTR_CTX *cctx)
+{
+    int i;
+    unsigned char c;
+    unsigned char *p = &cctx->V[15];
+
+    for (i = 0; i < 16; i++, p--) {
+        c = *p;
+        c++;
+        *p = c;
+        if (c != 0) {
+            /* If we didn't wrap around, we're done. */
+            break;
+        }
+    }
+}
+
+static void ctr_XOR(DRBG_CTR_CTX *cctx, const unsigned char *in, size_t inlen)
+{
+    size_t i, n;
+
+    if (in == NULL || inlen == 0)
+        return;
+
+    /*
+     * Any zero padding will have no effect on the result as we
+     * are XORing. So just process however much input we have.
+     */
+    n = inlen < cctx->keylen ? inlen : cctx->keylen;
+    for (i = 0; i < n; i++)
+        cctx->K[i] ^= in[i];
+    if (inlen <= cctx->keylen)
+        return;
+
+    n = inlen - cctx->keylen;
+    if (n > 16) {
+        /* Should never happen */
+        n = 16;
+    }
+    for (i = 0; i < 16; i++)
+        cctx->V[i] ^= in[i + cctx->keylen];
+}
+
+/*
+ * Process a complete block using BCC algorithm of SP 800-90A 10.3.3
+ */
+static void ctr_BCC_block(DRBG_CTR_CTX *cctx, unsigned char *out,
+                          const unsigned char *in)
+{
+    int i;
+
+    for (i = 0; i < 16; i++)
+        out[i] ^= in[i];
+    AES_encrypt(out, out, &cctx->df_ks);
+}
+
+
+/*
+ * Handle several BCC operations for as much data as we need for K and X
+ */
+static void ctr_BCC_blocks(DRBG_CTR_CTX *cctx, const unsigned char *in)
+{
+    ctr_BCC_block(cctx, cctx->KX, in);
+    ctr_BCC_block(cctx, cctx->KX + 16, in);
+    if (cctx->keylen != 16)
+        ctr_BCC_block(cctx, cctx->KX + 32, in);
+}
+
+/*
+ * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
+ * see 10.3.1 stage 7.
+ */
+static void ctr_BCC_init(DRBG_CTR_CTX *cctx)
+{
+    memset(cctx->KX, 0, 48);
+    memset(cctx->bltmp, 0, 16);
+    ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
+    cctx->bltmp[3] = 1;
+    ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
+    if (cctx->keylen != 16) {
+        cctx->bltmp[3] = 2;
+        ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
+    }
+}
+
+/*
+ * Process several blocks into BCC algorithm, some possibly partial
+ */
+static void ctr_BCC_update(DRBG_CTR_CTX *cctx,
+                           const unsigned char *in, size_t inlen)
+{
+    if (in == NULL || inlen == 0)
+        return;
+
+    /* If we have partial block handle it first */
+    if (cctx->bltmp_pos) {
+        size_t left = 16 - cctx->bltmp_pos;
+
+        /* If we now have a complete block process it */
+        if (inlen >= left) {
+            memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
+            ctr_BCC_blocks(cctx, cctx->bltmp);
+            cctx->bltmp_pos = 0;
+            inlen -= left;
+            in += left;
+        }
+    }
+
+    /* Process zero or more complete blocks */
+    for (; inlen >= 16; in += 16, inlen -= 16) {
+        ctr_BCC_blocks(cctx, in);
+    }
+
+    /* Copy any remaining partial block to the temporary buffer */
+    if (inlen > 0) {
+        memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
+        cctx->bltmp_pos += inlen;
+    }
+}
+
+static void ctr_BCC_final(DRBG_CTR_CTX *cctx)
+{
+    if (cctx->bltmp_pos) {
+        memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
+        ctr_BCC_blocks(cctx, cctx->bltmp);
+    }
+}
+
+static void ctr_df(DRBG_CTR_CTX *cctx,
+                   const unsigned char *in1, size_t in1len,
+                   const unsigned char *in2, size_t in2len,
+                   const unsigned char *in3, size_t in3len)
+{
+    static unsigned char c80 = 0x80;
+    size_t inlen;
+    unsigned char *p = cctx->bltmp;
+
+    ctr_BCC_init(cctx);
+    if (in1 == NULL)
+        in1len = 0;
+    if (in2 == NULL)
+        in2len = 0;
+    if (in3 == NULL)
+        in3len = 0;
+    inlen = in1len + in2len + in3len;
+    /* Initialise L||N in temporary block */
+    *p++ = (inlen >> 24) & 0xff;
+    *p++ = (inlen >> 16) & 0xff;
+    *p++ = (inlen >> 8) & 0xff;
+    *p++ = inlen & 0xff;
+
+    /* NB keylen is at most 32 bytes */
+    *p++ = 0;
+    *p++ = 0;
+    *p++ = 0;
+    *p = (unsigned char)((cctx->keylen + 16) & 0xff);
+    cctx->bltmp_pos = 8;
+    ctr_BCC_update(cctx, in1, in1len);
+    ctr_BCC_update(cctx, in2, in2len);
+    ctr_BCC_update(cctx, in3, in3len);
+    ctr_BCC_update(cctx, &c80, 1);
+    ctr_BCC_final(cctx);
+    /* Set up key K */
+    AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
+    /* X follows key K */
+    AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
+    AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
+    if (cctx->keylen != 16)
+        AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
+}
+
+/*
+ * NB the no-df Update in SP800-90A specifies a constant input length
+ * of seedlen, however other uses of this algorithm pad the input with
+ * zeroes if necessary and have up to two parameters XORed together,
+ * handle both cases in this function instead.
+ */
+static void ctr_update(DRBG_CTX *dctx,
+                       const unsigned char *in1, size_t in1len,
+                       const unsigned char *in2, size_t in2len,
+                       const unsigned char *nonce, size_t noncelen)
+{
+    DRBG_CTR_CTX *cctx = &dctx->ctr;
+
+    /* ks is already setup for correct key */
+    inc_128(cctx);
+    AES_encrypt(cctx->V, cctx->K, &cctx->ks);
+
+    /* If keylen longer than 128 bits need extra encrypt */
+    if (cctx->keylen != 16) {
+        inc_128(cctx);
+        AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
+    }
+    inc_128(cctx);
+    AES_encrypt(cctx->V, cctx->V, &cctx->ks);
+
+    /* If 192 bit key part of V is on end of K */
+    if (cctx->keylen == 24) {
+        memcpy(cctx->V + 8, cctx->V, 8);
+        memcpy(cctx->V, cctx->K + 24, 8);
+    }
+
+    if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
+        /* If no input reuse existing derived value */
+        if (in1 != NULL || nonce != NULL || in2 != NULL)
+            ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
+        /* If this a reuse input in1len != 0 */
+        if (in1len)
+            ctr_XOR(cctx, cctx->KX, dctx->seedlen);
+    } else {
+        ctr_XOR(cctx, in1, in1len);
+        ctr_XOR(cctx, in2, in2len);
+    }
+
+    AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
+}
+
+int ctr_instantiate(DRBG_CTX *dctx,
+                    const unsigned char *ent, size_t entlen,
+                    const unsigned char *nonce, size_t noncelen,
+                    const unsigned char *pers, size_t perslen)
+{
+    DRBG_CTR_CTX *cctx = &dctx->ctr;
+
+    memset(cctx->K, 0, sizeof(cctx->K));
+    memset(cctx->V, 0, sizeof(cctx->V));
+    AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
+    ctr_update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
+    return 1;
+}
+
+int ctr_reseed(DRBG_CTX *dctx,
+               const unsigned char *ent, size_t entlen,
+               const unsigned char *adin, size_t adinlen)
+{
+    ctr_update(dctx, ent, entlen, adin, adinlen, NULL, 0);
+    return 1;
+}
+
+int ctr_generate(DRBG_CTX *dctx,
+                 unsigned char *out, size_t outlen,
+                 const unsigned char *adin, size_t adinlen)
+{
+    DRBG_CTR_CTX *cctx = &dctx->ctr;
+
+    if (adin != NULL && adinlen != 0) {
+        ctr_update(dctx, adin, adinlen, NULL, 0, NULL, 0);
+        /* This means we reuse derived value */
+        if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
+            adin = NULL;
+            adinlen = 1;
+        }
+    } else {
+        adinlen = 0;
+    }
+
+    for ( ; ; ) {
+        inc_128(cctx);
+        if (outlen < 16) {
+            /* Use K as temp space as it will be updated */
+            AES_encrypt(cctx->V, cctx->K, &cctx->ks);
+            memcpy(out, cctx->K, outlen);
+            break;
+        }
+        AES_encrypt(cctx->V, out, &cctx->ks);
+        out += 16;
+        outlen -= 16;
+        if (outlen == 0)
+            break;
+    }
+
+    ctr_update(dctx, adin, adinlen, NULL, 0, NULL, 0);
+    return 1;
+}
+
+int ctr_uninstantiate(DRBG_CTX *dctx)
+{
+    memset(&dctx->ctr, 0, sizeof(dctx->ctr));
+    return 1;
+}
+
+int ctr_init(DRBG_CTX *dctx)
+{
+    DRBG_CTR_CTX *cctx = &dctx->ctr;
+    size_t keylen;
+
+    switch (dctx->nid) {
+    default:
+        /* This can't happen, but silence the compiler warning. */
+        return -1;
+    case NID_aes_128_ctr:
+        keylen = 16;
+        break;
+    case NID_aes_192_ctr:
+        keylen = 24;
+        break;
+    case NID_aes_256_ctr:
+        keylen = 32;
+        break;
+    }
+
+    cctx->keylen = keylen;
+    dctx->strength = keylen * 8;
+    dctx->blocklength = 16;
+    dctx->seedlen = keylen + 16;
+
+    if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
+        /* df initialisation */
+        static unsigned char df_key[32] = {
+            0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+            0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
+            0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
+            0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
+        };
+        /* Set key schedule for df_key */
+        AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
+
+        dctx->min_entropy = cctx->keylen;
+        dctx->max_entropy = DRBG_MAX_LENGTH;
+        dctx->min_nonce = dctx->min_entropy / 2;
+        dctx->max_nonce = DRBG_MAX_LENGTH;
+        dctx->max_pers = DRBG_MAX_LENGTH;
+        dctx->max_adin = DRBG_MAX_LENGTH;
+    } else {
+        dctx->min_entropy = dctx->seedlen;
+        dctx->max_entropy = dctx->seedlen;
+        /* Nonce not used */
+        dctx->min_nonce = 0;
+        dctx->max_nonce = 0;
+        dctx->max_pers = dctx->seedlen;
+        dctx->max_adin = dctx->seedlen;
+    }
+
+    dctx->max_request = 1 << 16;
+    dctx->reseed_interval = 1 << 24;
+    return 1;
+}
+
+
+/*
+ * The following function tie the DRBG code into the RAND_METHOD
+ */
+
+DRBG_CTX *RAND_DRBG_get_default(void)
+{
+    if (!RUN_ONCE(&ossl_drbg_init, do_ossl_drbg_init))
+        return NULL;
+    return &ossl_drbg;
+}
+
+static int drbg_bytes(unsigned char *out, int count)
+{
+    DRBG_CTX *dctx = RAND_DRBG_get_default();
+    int ret = 0;
+
+    CRYPTO_THREAD_write_lock(dctx->lock);
+    do {
+        size_t rcnt;
+
+        if (count > (int)dctx->max_request)
+            rcnt = dctx->max_request;
+        else
+            rcnt = count;
+        ret = RAND_DRBG_generate(dctx, out, rcnt, 0, NULL, 0);
+        if (!ret)
+            goto err;
+        out += rcnt;
+        count -= rcnt;
+    } while (count);
+    ret = 1;
+err:
+    CRYPTO_THREAD_unlock(dctx->lock);
+    return ret;
+}
+
+static int drbg_status(void)
+{
+    DRBG_CTX *dctx = RAND_DRBG_get_default();
+    int ret;
+
+    CRYPTO_THREAD_write_lock(dctx->lock);
+    ret = dctx->status == DRBG_STATUS_READY ? 1 : 0;
+    CRYPTO_THREAD_unlock(dctx->lock);
+    return ret;
+}
+
+static void drbg_cleanup(void)
+{
+    DRBG_CTX *dctx = RAND_DRBG_get_default();
+
+    CRYPTO_THREAD_write_lock(dctx->lock);
+    RAND_DRBG_uninstantiate(dctx);
+    CRYPTO_THREAD_unlock(dctx->lock);
+}
+
+static const RAND_METHOD rand_drbg_meth =
+{
+    NULL,
+    drbg_bytes,
+    drbg_cleanup,
+    NULL,
+    drbg_bytes,
+    drbg_status
+};
+
+const RAND_METHOD *RAND_drbg(void)
+{
+    return &rand_drbg_meth;
+}
index 016653d..1b4b21b 100644 (file)
@@ -38,8 +38,8 @@ typedef struct ossl_rand_state_st OSSL_RAND_STATE;
 struct ossl_rand_state_st {
     size_t num;
     size_t index;
-    unsigned char state[STATE_SIZE + RAND_DIGEST_LENGTH];
-    unsigned char md[RAND_DIGEST_LENGTH];
+    unsigned char state[STATE_SIZE + SHA_DIGEST_LENGTH];
+    unsigned char md[SHA_DIGEST_LENGTH];
     long md_count[2];
 };
 
@@ -103,7 +103,7 @@ static int rand_add(const void *buf, int num, double add)
 {
     int i, j, k, st_idx;
     long md_c[2];
-    unsigned char local_md[RAND_DIGEST_LENGTH];
+    unsigned char local_md[SHA_DIGEST_LENGTH];
     EVP_MD_CTX *m;
     int do_not_lock;
     int rv = 0;
@@ -178,18 +178,18 @@ static int rand_add(const void *buf, int num, double add)
      * will use now, but other threads may use them as well
      */
 
-    sp->md_count[1] += (num / RAND_DIGEST_LENGTH) + (num % RAND_DIGEST_LENGTH > 0);
+    sp->md_count[1] += (num / SHA_DIGEST_LENGTH) + (num % SHA_DIGEST_LENGTH > 0);
 
     if (!do_not_lock)
         CRYPTO_THREAD_unlock(rand_lock);
 
-    for (i = 0; i < num; i += RAND_DIGEST_LENGTH) {
+    for (i = 0; i < num; i += SHA_DIGEST_LENGTH) {
         j = (num - i);
-        j = (j > RAND_DIGEST_LENGTH) ? RAND_DIGEST_LENGTH : j;
+        j = (j > SHA_DIGEST_LENGTH) ? SHA_DIGEST_LENGTH : j;
 
-        if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL))
+        if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL))
             goto err;
-        if (!EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH))
+        if (!EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH))
             goto err;
         k = (st_idx + j) - STATE_SIZE;
         if (k > 0) {
@@ -268,7 +268,7 @@ static int rand_bytes(unsigned char *buf, int num)
     size_t num_ceil, st_idx, st_num;
     int ok;
     long md_c[2];
-    unsigned char local_md[RAND_DIGEST_LENGTH];
+    unsigned char local_md[SHA_DIGEST_LENGTH];
     EVP_MD_CTX *m;
     OSSL_RAND_STATE *sp = &global_state;
 #ifndef GETPID_IS_MEANINGLESS
@@ -314,9 +314,9 @@ static int rand_bytes(unsigned char *buf, int num)
     if (m == NULL)
         goto err_mem;
 
-    /* round upwards to multiple of RAND_DIGEST_LENGTH/2 */
+    /* round upwards to multiple of SHA_DIGEST_LENGTH/2 */
     num_ceil =
-        (1 + (num - 1) / (RAND_DIGEST_LENGTH / 2)) * (RAND_DIGEST_LENGTH / 2);
+        (1 + (num - 1) / (SHA_DIGEST_LENGTH / 2)) * (SHA_DIGEST_LENGTH / 2);
 
     /*
      * (Based on the rand(3) manpage:)
@@ -389,16 +389,16 @@ static int rand_bytes(unsigned char *buf, int num)
 
         int n = STATE_SIZE;     /* so that the complete pool gets accessed */
         while (n > 0) {
-#if RAND_DIGEST_LENGTH > 20
+#if SHA_DIGEST_LENGTH > 20
 # error "Please adjust DUMMY_SEED."
 #endif
-#define DUMMY_SEED "...................." /* at least RAND_DIGEST_LENGTH */
+#define DUMMY_SEED "...................." /* at least SHA_DIGEST_LENGTH */
             /*
              * Note that the seed does not matter, it's just that
              * rand_add expects to have something to hash.
              */
-            rand_add(DUMMY_SEED, RAND_DIGEST_LENGTH, 0.0);
-            n -= RAND_DIGEST_LENGTH;
+            rand_add(DUMMY_SEED, SHA_DIGEST_LENGTH, 0.0);
+            n -= SHA_DIGEST_LENGTH;
         }
         if (ok)
             stirred_pool = 1;
@@ -427,10 +427,10 @@ static int rand_bytes(unsigned char *buf, int num)
     CRYPTO_THREAD_unlock(rand_lock);
 
     while (num > 0) {
-        /* num_ceil -= RAND_DIGEST_LENGTH / 2 */
-        j = (num >= RAND_DIGEST_LENGTH / 2) ? RAND_DIGEST_LENGTH / 2 : num;
+        /* num_ceil -= SHA_DIGEST_LENGTH / 2 */
+        j = (num >= SHA_DIGEST_LENGTH / 2) ? SHA_DIGEST_LENGTH / 2 : num;
         num -= j;
-        if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL))
+        if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL))
             goto err;
 #ifndef GETPID_IS_MEANINGLESS
         if (curr_pid) {         /* just in the first iteration to save time */
@@ -448,35 +448,35 @@ static int rand_bytes(unsigned char *buf, int num)
             if (!rand_hw_seed(m))
                 goto err;
         }
-        if (!EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH))
+        if (!EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH))
             goto err;
         if (!EVP_DigestUpdate(m, (unsigned char *)md_c, sizeof(md_c)))
             goto err;
 
-        k = (st_idx + RAND_DIGEST_LENGTH / 2) - st_num;
+        k = (st_idx + SHA_DIGEST_LENGTH / 2) - st_num;
         if (k > 0) {
-            if (!EVP_DigestUpdate(m, &sp->state[st_idx], RAND_DIGEST_LENGTH / 2 - k))
+            if (!EVP_DigestUpdate(m, &sp->state[st_idx], SHA_DIGEST_LENGTH / 2 - k))
                 goto err;
             if (!EVP_DigestUpdate(m, &sp->state[0], k))
                 goto err;
-        } else if (!EVP_DigestUpdate(m, &sp->state[st_idx], RAND_DIGEST_LENGTH / 2))
+        } else if (!EVP_DigestUpdate(m, &sp->state[st_idx], SHA_DIGEST_LENGTH / 2))
             goto err;
         if (!EVP_DigestFinal_ex(m, local_md, NULL))
             goto err;
 
-        for (i = 0; i < RAND_DIGEST_LENGTH / 2; i++) {
+        for (i = 0; i < SHA_DIGEST_LENGTH / 2; i++) {
             /* may compete with other threads */
             sp->state[st_idx++] ^= local_md[i];
             if (st_idx >= st_num)
                 st_idx = 0;
             if (i < j)
-                *(buf++) = local_md[i + RAND_DIGEST_LENGTH / 2];
+                *(buf++) = local_md[i + SHA_DIGEST_LENGTH / 2];
         }
     }
 
-    if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL)
+    if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL)
         || !EVP_DigestUpdate(m, (unsigned char *)md_c, sizeof(md_c))
-        || !EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH))
+        || !EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH))
         goto err;
     CRYPTO_THREAD_write_lock(rand_lock);
     /*
index 3513ac9..707f010 100644 (file)
 #ifndef OPENSSL_NO_ERR
 
 static const ERR_STRING_DATA RAND_str_functs[] = {
+    {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_BYTES, 0), "drbg_bytes"},
+    {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_GET_ENTROPY, 0), "drbg_get_entropy"},
+    {ERR_PACK(ERR_LIB_RAND, RAND_F_GET_ENTROPY, 0), "get_entropy"},
     {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_BYTES, 0), "RAND_bytes"},
+    {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_GENERATE, 0),
+     "RAND_DRBG_generate"},
+    {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_INSTANTIATE, 0),
+     "RAND_DRBG_instantiate"},
+    {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_NEW, 0), "RAND_DRBG_new"},
+    {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_RESEED, 0), "RAND_DRBG_reseed"},
+    {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_SET, 0), "RAND_DRBG_set"},
     {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_LOAD_FILE, 0), "RAND_load_file"},
     {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_WRITE_FILE, 0), "RAND_write_file"},
     {0, NULL}
 };
 
 static const ERR_STRING_DATA RAND_str_reasons[] = {
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ADDITIONAL_INPUT_TOO_LONG),
+    "additional input too long"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ALREADY_INSTANTIATED),
+    "already instantiated"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_CANNOT_OPEN_FILE), "Cannot open file"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_DRBG_NOT_INITIALISED),
+    "drbg not initialised"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_INITIALISING_DRBG),
+    "error initialising drbg"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_INSTANTIATING_DRBG),
+    "error instantiating drbg"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT),
+    "error retrieving additional input"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_RETRIEVING_ENTROPY),
+    "error retrieving entropy"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_RETRIEVING_NONCE),
+    "error retrieving nonce"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_FUNC_NOT_IMPLEMENTED),
     "Function not implemented"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_FWRITE_ERROR), "Error writing file"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_GENERATE_ERROR), "generate error"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_INTERNAL_ERROR), "internal error"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_IN_ERROR_STATE), "in error state"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_NOT_A_REGULAR_FILE),
     "Not a regular file"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_NOT_INSTANTIATED), "not instantiated"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PERSONALISATION_STRING_TOO_LONG),
+    "personalisation string too long"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PRNG_NOT_SEEDED), "PRNG not seeded"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_REQUEST_TOO_LARGE_FOR_DRBG),
+    "request too large for drbg"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_RESEED_ERROR), "reseed error"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_SELFTEST_FAILURE), "selftest failure"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_UNSUPPORTED_DRBG_TYPE),
+    "unsupported drbg type"},
     {0, NULL}
 };
 
index 69c9630..d65d49f 100644 (file)
 #ifndef HEADER_RAND_LCL_H
 # define HEADER_RAND_LCL_H
 
+# include <openssl/aes.h>
+# include <openssl/evp.h>
+# include <openssl/sha.h>
+# include <openssl/hmac.h>
+# include <openssl/ec.h>
+# include "include/internal/rand.h"
+
 /* we require 256 bits of randomness */
 # define RANDOMNESS_NEEDED (256 / 8)
 
-# include <openssl/evp.h>
-# include <openssl/sha.h>
+/* DRBG status values */
+#define DRBG_STATUS_UNINITIALISED      0
+#define DRBG_STATUS_READY              1
+#define DRBG_STATUS_RESEED             2
+#define DRBG_STATUS_ERROR              3
+
+/* A default maximum length: larger than any reasonable value used in pratice */
+#define DRBG_MAX_LENGTH                        0x7ffffff0
+
+typedef struct drbg_ctr_ctx_st {
+    AES_KEY ks;
+    size_t keylen;
+    unsigned char K[32];
+    unsigned char V[16];
+    /* Temp variables used by derivation function */
+    AES_KEY df_ks;
+    AES_KEY df_kxks;
+    /* Temporary block storage used by ctr_df */
+    unsigned char bltmp[16];
+    size_t bltmp_pos;
+    unsigned char KX[48];
+} DRBG_CTR_CTX;
+
+struct drbg_ctx_st {
+    CRYPTO_RWLOCK *lock;
+    DRBG_CTX *parent;
+    int nid; /* the NID of the underlying algorithm */
+    unsigned int flags; /* various external flags */
+
+    /* The following parameters are setup by mechanism drbg_init() call */
+    int strength;
+    size_t blocklength;
+    size_t max_request;
+    size_t min_entropy, max_entropy;
+    size_t min_nonce, max_nonce;
+    size_t max_pers, max_adin;
+    unsigned int reseed_counter;
+    unsigned int reseed_interval;
+    size_t seedlen;
+    int status;
+
+    /* Application data: typically (only?) used by test get_entropy */
+    CRYPTO_EX_DATA ex_data;
+
+    /* Implementation specific structures */
+    DRBG_CTR_CTX ctr;
+
+    /* entropy gathering function */
+    size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
+            int entropy, size_t min_len, size_t max_len);
+    /* Indicates we have finished with entropy buffer */
+    void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
+
+    /* nonce gathering function */
+    size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
+            int entropy, size_t min_len, size_t max_len);
+    /* Indicates we have finished with nonce buffer */
+    void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
+};
 
-# define RAND_DIGEST EVP_sha1()
-# define RAND_DIGEST_LENGTH        SHA_DIGEST_LENGTH
 
 extern RAND_METHOD openssl_rand_meth;
+void rand_drbg_cleanup(void);
+
+int ctr_init(DRBG_CTX *dctx);
+int drbg_hash_init(DRBG_CTX *dctx);
+int drbg_hmac_init(DRBG_CTX *dctx);
+int ctr_uninstantiate(DRBG_CTX *dctx);
+int ctr_instantiate(DRBG_CTX *dctx,
+                    const unsigned char *ent, size_t entlen,
+                    const unsigned char *nonce, size_t noncelen,
+                    const unsigned char *pers, size_t perslen);
+int ctr_reseed(DRBG_CTX *dctx,
+               const unsigned char *ent, size_t entlen,
+               const unsigned char *adin, size_t adinlen);
+int ctr_generate(DRBG_CTX *dctx,
+                 unsigned char *out, size_t outlen,
+                 const unsigned char *adin, size_t adinlen);
 
 #endif
index 1a1e282..c021486 100644 (file)
@@ -49,6 +49,7 @@ void rand_cleanup_int(void)
     CRYPTO_THREAD_lock_free(rand_engine_lock);
 #endif
     CRYPTO_THREAD_lock_free(rand_meth_lock);
+    rand_drbg_cleanup();
 }
 
 int RAND_set_rand_method(const RAND_METHOD *meth)
diff --git a/include/internal/rand.h b/include/internal/rand.h
new file mode 100644 (file)
index 0000000..95ad712
--- /dev/null
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_DRBG_RAND_H
+# define HEADER_DRBG_RAND_H
+
+/* Flag for CTR mode only: use derivation function ctr_df */
+#define RAND_DRBG_FLAG_CTR_USE_DF            0x2
+
+const RAND_METHOD *RAND_drbg(void);
+
+int RAND_DRBG_set(DRBG_CTX *ctx, int type, unsigned int flags);
+DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent);
+int RAND_DRBG_instantiate(DRBG_CTX *dctx,
+                          const unsigned char *pers, size_t perslen);
+int RAND_DRBG_uninstantiate(DRBG_CTX *dctx);
+int RAND_DRBG_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
+int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
+                       int prediction_resistance,
+                       const unsigned char *adin, size_t adinlen);
+void RAND_DRBG_free(DRBG_CTX *dctx);
+
+int RAND_DRBG_set_callbacks(DRBG_CTX *dctx,
+    size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
+                          int entropy, size_t min_len, size_t max_len),
+    void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
+    size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
+                        int entropy, size_t min_len, size_t max_len),
+    void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen)
+    );
+
+void RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval);
+
+#define RAND_DRBG_get_ex_new_index(l, p, newf, dupf, freef) \
+    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DRBG, l, p, newf, dupf, freef)
+int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg);
+void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx);
+
+DRBG_CTX *RAND_DRBG_get_default(void);
+
+
+#endif
+
+
index ad2cfe5..f0bc98f 100644 (file)
@@ -107,7 +107,8 @@ DEFINE_STACK_OF(void)
 # define CRYPTO_EX_INDEX_BIO             12
 # define CRYPTO_EX_INDEX_APP             13
 # define CRYPTO_EX_INDEX_UI_METHOD       14
-# define CRYPTO_EX_INDEX__COUNT          15
+# define CRYPTO_EX_INDEX_DRBG            15
+# define CRYPTO_EX_INDEX__COUNT          16
 
 /*
  * This is the default callbacks, but we can have others as well: this is
index 173a42d..49bdead 100644 (file)
@@ -114,6 +114,7 @@ typedef struct ec_key_st EC_KEY;
 typedef struct ec_key_method_st EC_KEY_METHOD;
 
 typedef struct rand_meth_st RAND_METHOD;
+typedef struct drbg_ctx_st DRBG_CTX;
 
 typedef struct ssl_dane_st SSL_DANE;
 typedef struct x509_st X509;
index 5cda71b..b6b33cf 100644 (file)
@@ -38,15 +38,15 @@ const RAND_METHOD *RAND_get_rand_method(void);
 int RAND_set_rand_engine(ENGINE *engine);
 # endif
 RAND_METHOD *RAND_OpenSSL(void);
-#if OPENSSL_API_COMPAT < 0x10100000L
-# define RAND_cleanup() while(0) continue
-#endif
+# if OPENSSL_API_COMPAT < 0x10100000L
+#   define RAND_cleanup() while(0) continue
+# endif
 int RAND_bytes(unsigned char *buf, int num);
 DEPRECATEDIN_1_1_0(int RAND_pseudo_bytes(unsigned char *buf, int num))
 void RAND_seed(const void *buf, int num);
-#if defined(__ANDROID__) && defined(__NDK_FPABI__)
+# if defined(__ANDROID__) && defined(__NDK_FPABI__)
 __NDK_FPABI__  /* __attribute__((pcs("aapcs"))) on ARM */
-#endif
+# endif
 void RAND_add(const void *buf, int num, double randomness);
 int RAND_load_file(const char *file, long max_bytes);
 int RAND_write_file(const char *file);
@@ -59,15 +59,16 @@ int RAND_egd_bytes(const char *path, int bytes);
 # endif
 int RAND_poll(void);
 
-#if defined(_WIN32) && (defined(BASETYPES) || defined(_WINDEF_H))
+# if defined(_WIN32) && (defined(BASETYPES) || defined(_WINDEF_H))
 /* application has to include <windows.h> in order to use these */
 DEPRECATEDIN_1_1_0(void RAND_screen(void))
 DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM))
-#endif
+# endif
 
 int ERR_load_RAND_strings(void);
 
-# ifdef  __cplusplus
+#ifdef  __cplusplus
 }
-# endif
+#endif
+
 #endif
index 244fd0e..79c652f 100644 (file)
@@ -22,17 +22,42 @@ int ERR_load_RAND_strings(void);
 /*
  * RAND function codes.
  */
+# define RAND_F_DRBG_BYTES                                101
+# define RAND_F_DRBG_GET_ENTROPY                          105
+# define RAND_F_GET_ENTROPY                               106
 # define RAND_F_RAND_BYTES                                100
-# define RAND_F_RAND_LOAD_FILE                            101
-# define RAND_F_RAND_WRITE_FILE                           102
+# define RAND_F_RAND_DRBG_GENERATE                        107
+# define RAND_F_RAND_DRBG_INSTANTIATE                     108
+# define RAND_F_RAND_DRBG_NEW                             109
+# define RAND_F_RAND_DRBG_RESEED                          110
+# define RAND_F_RAND_DRBG_SET                             104
+# define RAND_F_RAND_LOAD_FILE                            111
+# define RAND_F_RAND_WRITE_FILE                           112
 
 /*
  * RAND reason codes.
  */
-# define RAND_R_CANNOT_OPEN_FILE                          102
+# define RAND_R_ADDITIONAL_INPUT_TOO_LONG                 102
+# define RAND_R_ALREADY_INSTANTIATED                      103
+# define RAND_R_CANNOT_OPEN_FILE                          121
+# define RAND_R_DRBG_NOT_INITIALISED                      104
+# define RAND_R_ERROR_INITIALISING_DRBG                   107
+# define RAND_R_ERROR_INSTANTIATING_DRBG                  108
+# define RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT         109
+# define RAND_R_ERROR_RETRIEVING_ENTROPY                  110
+# define RAND_R_ERROR_RETRIEVING_NONCE                    111
 # define RAND_R_FUNC_NOT_IMPLEMENTED                      101
-# define RAND_R_FWRITE_ERROR                              103
-# define RAND_R_NOT_A_REGULAR_FILE                        104
+# define RAND_R_FWRITE_ERROR                              123
+# define RAND_R_GENERATE_ERROR                            112
+# define RAND_R_INTERNAL_ERROR                            113
+# define RAND_R_IN_ERROR_STATE                            114
+# define RAND_R_NOT_A_REGULAR_FILE                        122
+# define RAND_R_NOT_INSTANTIATED                          115
+# define RAND_R_PERSONALISATION_STRING_TOO_LONG           116
 # define RAND_R_PRNG_NOT_SEEDED                           100
+# define RAND_R_REQUEST_TOO_LARGE_FOR_DRBG                117
+# define RAND_R_RESEED_ERROR                              118
+# define RAND_R_SELFTEST_FAILURE                          119
+# define RAND_R_UNSUPPORTED_DRBG_TYPE                     120
 
 #endif
index 34c81a4..9664443 100644 (file)
@@ -42,7 +42,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
           ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
           bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
           pkey_meth_test uitest cipherbytes_test asn1_encode_test \
-          x509_time_test x509_dup_cert_test x509_check_cert_pkey_test recordlentest \
+          x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
+          recordlentest drbgtest \
           time_offset_test pemtest ssl_cert_table_internal_test
 
   SOURCE[aborttest]=aborttest.c
@@ -302,6 +303,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
   INCLUDE[recordlentest]=../include .
   DEPEND[recordlentest]=../libcrypto ../libssl libtestutil.a
 
+  SOURCE[drbgtest]=drbgtest.c
+  INCLUDE[drbgtest]=../include . ..
+  DEPEND[drbgtest]=../libcrypto libtestutil.a
+
   SOURCE[x509_dup_cert_test]=x509_dup_cert_test.c
   INCLUDE[x509_dup_cert_test]=../include
   DEPEND[x509_dup_cert_test]=../libcrypto libtestutil.a
diff --git a/test/drbgtest.c b/test/drbgtest.c
new file mode 100644 (file)
index 0000000..80d0b8b
--- /dev/null
@@ -0,0 +1,490 @@
+/*
+ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include "e_os.h"
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/obj_mac.h>
+#include <openssl/evp.h>
+#include <openssl/aes.h>
+#include "../crypto/rand/rand_lcl.h"
+
+#include "testutil.h"
+#include "drbgtest.h"
+
+typedef struct drbg_selftest_data_st {
+    int post;
+    int nid;
+    unsigned int flags;
+
+    /* KAT data for no PR */
+    const unsigned char *ent;
+    size_t entlen;
+    const unsigned char *nonce;
+    size_t noncelen;
+    const unsigned char *pers;
+    size_t perslen;
+    const unsigned char *adin;
+    size_t adinlen;
+    const unsigned char *entreseed;
+    size_t entreseedlen;
+    const unsigned char *adinreseed;
+    size_t adinreseedlen;
+    const unsigned char *adin2;
+    size_t adin2len;
+    const unsigned char *expected;
+    size_t exlen;
+    const unsigned char *kat2;
+    size_t kat2len;
+
+    /* KAT data for PR */
+    const unsigned char *ent_pr;
+    size_t entlen_pr;
+    const unsigned char *nonce_pr;
+    size_t noncelen_pr;
+    const unsigned char *pers_pr;
+    size_t perslen_pr;
+    const unsigned char *adin_pr;
+    size_t adinlen_pr;
+    const unsigned char *entpr_pr;
+    size_t entprlen_pr;
+    const unsigned char *ading_pr;
+    size_t adinglen_pr;
+    const unsigned char *entg_pr;
+    size_t entglen_pr;
+    const unsigned char *kat_pr;
+    size_t katlen_pr;
+    const unsigned char *kat2_pr;
+    size_t kat2len_pr;
+} DRBG_SELFTEST_DATA;
+
+#define make_drbg_test_data(nid, flag, pr, post) {\
+    post, nid, flag, \
+    pr##_entropyinput, sizeof(pr##_entropyinput), \
+    pr##_nonce, sizeof(pr##_nonce), \
+    pr##_personalizationstring, sizeof(pr##_personalizationstring), \
+    pr##_additionalinput, sizeof(pr##_additionalinput), \
+    pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
+    pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
+    pr##_additionalinput2, sizeof(pr##_additionalinput2), \
+    pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
+    pr##_returnedbits, sizeof(pr##_returnedbits), \
+    pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
+    pr##_pr_nonce, sizeof(pr##_pr_nonce), \
+    pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
+    pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
+    pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
+    pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
+    pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
+    pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
+    pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \
+    }
+
+#define make_drbg_test_data_df(nid, pr, p) \
+    make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_USE_DF, pr, p)
+
+static DRBG_SELFTEST_DATA drbg_test[] = {
+    make_drbg_test_data_df(NID_aes_128_ctr,    aes_128_use_df, 0),
+    make_drbg_test_data_df(NID_aes_192_ctr,    aes_192_use_df, 0),
+    make_drbg_test_data_df(NID_aes_256_ctr,    aes_256_use_df, 1),
+    make_drbg_test_data   (NID_aes_128_ctr, 0, aes_128_no_df, 0),
+    make_drbg_test_data   (NID_aes_192_ctr, 0, aes_192_no_df, 0),
+    make_drbg_test_data   (NID_aes_256_ctr, 0, aes_256_no_df, 1),
+};
+
+static int app_data_index;
+
+/*
+ * Test context data, attached as appdata to the DRBG_CTX
+ */
+typedef struct test_ctx_st {
+    const unsigned char *ent;
+    size_t entlen;
+    int entcnt;
+    const unsigned char *nonce;
+    size_t noncelen;
+    int noncecnt;
+} TEST_CTX;
+
+static size_t kat_entropy(DRBG_CTX *dctx, unsigned char **pout,
+                          int entropy, size_t min_len, size_t max_len)
+{
+    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(dctx, app_data_index);
+
+    t->entcnt++;
+    *pout = (unsigned char *)t->ent;
+    return t->entlen;
+}
+
+static size_t kat_nonce(DRBG_CTX *dctx, unsigned char **pout,
+                        int entropy, size_t min_len, size_t max_len)
+{
+    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(dctx, app_data_index);
+
+    t->noncecnt++;
+    *pout = (unsigned char *)t->nonce;
+    return t->noncelen;
+}
+
+static int uninstantiate(DRBG_CTX *dctx)
+{
+    int ret = dctx == NULL ? 1 : RAND_DRBG_uninstantiate(dctx);
+
+    ERR_clear_error();
+    return ret;
+}
+
+/*
+ * Do a single KAT test.  Return 0 on failure.
+ */
+static int single_kat(DRBG_SELFTEST_DATA *td)
+{
+    DRBG_CTX *dctx = NULL;
+    TEST_CTX t;
+    int failures = 0;
+    unsigned char buff[1024];
+
+    /*
+     * Test without PR: Instantiate DRBG with test entropy, nonce and
+     * personalisation string.
+     */
+    if (!TEST_ptr(dctx = RAND_DRBG_new(td->nid, td->flags, NULL)))
+        return 0;
+    if (!TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL,
+                                           kat_nonce, NULL))) {
+        failures++;
+        goto err;
+    }
+    memset(&t, 0, sizeof(t));
+    t.ent = td->ent;
+    t.entlen = td->entlen;
+    t.nonce = td->nonce;
+    t.noncelen = td->noncelen;
+    RAND_DRBG_set_ex_data(dctx, app_data_index, &t);
+
+    if (!TEST_true(RAND_DRBG_instantiate(dctx, td->pers, td->perslen))
+            || !TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
+                                             td->adin, td->adinlen))
+            || !TEST_mem_eq(td->expected, td->exlen, buff, td->exlen))
+        failures++;
+
+    /* Reseed DRBG with test entropy and additional input */
+    t.ent = td->entreseed;
+    t.entlen = td->entreseedlen;
+    if (!TEST_true(RAND_DRBG_reseed(dctx, td->adinreseed, td->adinreseedlen)
+            || !TEST_true(RAND_DRBG_generate(dctx, buff, td->kat2len, 0,
+                                             td->adin2, td->adin2len))
+            || !TEST_mem_eq(td->kat2, td->kat2len, buff, td->kat2len)))
+        failures++;
+    uninstantiate(dctx);
+
+    /*
+     * Now test with PR: Instantiate DRBG with test entropy, nonce and
+     * personalisation string.
+     */
+    if (!TEST_true(RAND_DRBG_set(dctx, td->nid, td->flags))
+            || !TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL,
+                                                  kat_nonce, NULL)))
+        failures++;
+    RAND_DRBG_set_ex_data(dctx, app_data_index, &t);
+    t.ent = td->ent_pr;
+    t.entlen = td->entlen_pr;
+    t.nonce = td->nonce_pr;
+    t.noncelen = td->noncelen_pr;
+    t.entcnt = 0;
+    t.noncecnt = 0;
+    if (!TEST_true(RAND_DRBG_instantiate(dctx, td->pers_pr, td->perslen_pr)))
+        failures++;
+
+    /*
+     * Now generate with PR: we need to supply entropy as this will
+     * perform a reseed operation.
+     */
+    t.ent = td->entpr_pr;
+    t.entlen = td->entprlen_pr;
+    if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->katlen_pr, 1,
+                                      td->adin_pr, td->adinlen_pr))
+            || !TEST_mem_eq(td->kat_pr, td->katlen_pr, buff, td->katlen_pr))
+        failures++;
+
+    /*
+     * Now generate again with PR: supply new entropy again.
+     */
+    t.ent = td->entg_pr;
+    t.entlen = td->entglen_pr;
+
+    if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->kat2len_pr, 1,
+                                      td->ading_pr, td->adinglen_pr))
+                || !TEST_mem_eq(td->kat2_pr, td->kat2len_pr,
+                                buff, td->kat2len_pr))
+        failures++;
+
+err:
+    uninstantiate(dctx);
+    RAND_DRBG_free(dctx);
+    return failures == 0;
+}
+
+/*
+ * Initialise a DRBG based on selftest data
+ */
+static int init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td, TEST_CTX *t)
+{
+    if (!TEST_true(RAND_DRBG_set(dctx, td->nid, td->flags))
+            || !TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL,
+                                                  kat_nonce, NULL)))
+        return 0;
+    RAND_DRBG_set_ex_data(dctx, app_data_index, t);
+    t->ent = td->ent;
+    t->entlen = td->entlen;
+    t->nonce = td->nonce;
+    t->noncelen = td->noncelen;
+    t->entcnt = 0;
+    t->noncecnt = 0;
+    return 1;
+}
+
+/*
+ * Initialise and instantiate DRBG based on selftest data
+ */
+static int instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
+                       TEST_CTX *t)
+{
+    if (!TEST_true(init(dctx, td, t))
+            || !TEST_true(RAND_DRBG_instantiate(dctx, td->pers, td->perslen)))
+        return 0;
+    return 1;
+}
+
+/*
+ * Perform extensive error checking as required by SP800-90.
+ * Induce several failure modes and check an error condition is set.
+ */
+static int error_check(DRBG_SELFTEST_DATA *td)
+{
+    static char zero[sizeof(DRBG_CTX)];
+    DRBG_CTX *dctx = NULL;
+    TEST_CTX t;
+    unsigned char buff[1024];
+    unsigned int reseed_counter_tmp;
+    int ret = 0;
+
+    if (!TEST_ptr(dctx = RAND_DRBG_new(0, 0, NULL)))
+        goto err;
+
+    /*
+     * Personalisation string tests
+     */
+
+    /* Test detection of too large personlisation string */
+    if (!init(dctx, td, &t)
+            || RAND_DRBG_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0)
+        goto err;
+
+    /*
+     * Entropy source tests
+     */
+
+    /* Test entropy source failure detecion: i.e. returns no data */
+    t.entlen = 0;
+    if (TEST_int_le(RAND_DRBG_instantiate(dctx, td->pers, td->perslen), 0))
+        goto err;
+
+    /* Try to generate output from uninstantiated DRBG */
+    if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
+                                       td->adin, td->adinlen))
+            || !uninstantiate(dctx))
+        goto err;
+
+    /* Test insufficient entropy */
+    t.entlen = dctx->min_entropy - 1;
+    if (!init(dctx, td, &t)
+            || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
+            || !uninstantiate(dctx))
+        goto err;
+
+    /* Test too much entropy */
+    t.entlen = dctx->max_entropy + 1;
+    if (!init(dctx, td, &t)
+            || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
+            || !uninstantiate(dctx))
+        goto err;
+
+    /*
+     * Nonce tests
+     */
+
+    /* Test too small nonce */
+    if (dctx->min_nonce) { 
+        t.noncelen = dctx->min_nonce - 1;
+        if (!init(dctx, td, &t)
+                || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
+                || !uninstantiate(dctx))
+            goto err;
+    }
+
+    /* Test too large nonce */
+    if (dctx->max_nonce) {
+        t.noncelen = dctx->max_nonce + 1;
+        if (!init(dctx, td, &t)
+                || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
+                || !uninstantiate(dctx))
+            goto err;
+    }
+
+    /* Instantiate with valid data, Check generation is now OK */
+    if (!instantiate(dctx, td, &t)
+            || !TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
+                                             td->adin, td->adinlen)))
+        goto err;
+
+    /* Request too much data for one request */
+    if (!TEST_false(RAND_DRBG_generate(dctx, buff, dctx->max_request + 1, 0,
+                                       td->adin, td->adinlen)))
+        goto err;
+
+    /* Try too large additional input */
+    if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
+                                       td->adin, dctx->max_adin + 1)))
+        goto err;
+
+    /*
+     * Check prediction resistance request fails if entropy source
+     * failure.
+     */
+    t.entlen = 0;
+    if (TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 1,
+                                      td->adin, td->adinlen))
+            || !uninstantiate(dctx))
+        goto err;
+
+    /* Instantiate again with valid data */ 
+    if (!instantiate(dctx, td, &t))
+        goto err;
+    reseed_counter_tmp = dctx->reseed_counter;
+    dctx->reseed_counter = dctx->reseed_interval;
+
+    /* Generate output and check entropy has been requested for reseed */
+    t.entcnt = 0;
+    if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
+                                      td->adin, td->adinlen))
+            || !TEST_int_eq(t.entcnt, 1)
+            || !TEST_int_eq(dctx->reseed_counter, reseed_counter_tmp + 1)
+            || !uninstantiate(dctx))
+        goto err;
+
+    /*
+     * Check prediction resistance request fails if entropy source
+     * failure.
+     */
+    t.entlen = 0;
+    if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 1,
+                                       td->adin, td->adinlen))
+            || !uninstantiate(dctx))
+        goto err;
+
+    /* Test reseed counter works */
+    if (!instantiate(dctx, td, &t))
+        goto err;
+    reseed_counter_tmp = dctx->reseed_counter;
+    dctx->reseed_counter = dctx->reseed_interval;
+
+    /* Generate output and check entropy has been requested for reseed */
+    t.entcnt = 0;
+    if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
+                                      td->adin, td->adinlen))
+            || !TEST_int_eq(t.entcnt, 1)
+            || !TEST_int_eq(dctx->reseed_counter, reseed_counter_tmp + 1)
+            || !uninstantiate(dctx))
+        goto err;
+
+    /*
+     * Explicit reseed tests
+     */
+
+    /* Test explicit reseed with too large additional input */
+    if (!init(dctx, td, &t)
+            || RAND_DRBG_reseed(dctx, td->adin, dctx->max_adin + 1) > 0)
+        goto err;
+
+    /* Test explicit reseed with entropy source failure */
+    t.entlen = 0;
+    if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0)
+            || !uninstantiate(dctx))
+        goto err;
+
+    /* Test explicit reseed with too much entropy */
+    if (!init(dctx, td, &t))
+        goto err;
+    t.entlen = dctx->max_entropy + 1;
+    if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0)
+            || !uninstantiate(dctx))
+        goto err;
+
+    /* Test explicit reseed with too little entropy */
+    if (!init(dctx, td, &t))
+        goto err;
+    t.entlen = dctx->min_entropy - 1;
+    if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0)
+            || !uninstantiate(dctx))
+        goto err;
+
+    /* Standard says we have to check uninstantiate really zeroes */
+    if (!TEST_mem_eq(zero, sizeof(dctx->ctr), &dctx->ctr, sizeof(dctx->ctr)))
+        goto err;
+
+    ret = 1;
+
+err:
+    uninstantiate(dctx);
+    RAND_DRBG_free(dctx);
+    return ret;
+}
+
+static int test_kats(int i)
+{
+    DRBG_SELFTEST_DATA *td = &drbg_test[i];
+    int rv = 0;
+
+    if (!single_kat(td))
+        goto err;
+    rv = 1;
+
+err:
+    return rv;
+}
+
+static int test_error_checks(int i)
+{
+    DRBG_SELFTEST_DATA *td = &drbg_test[i];
+    int rv = 0;
+
+    if (error_check(td))
+        goto err;
+    rv = 1;
+
+err:
+    return rv;
+}
+
+
+int test_main(int argc, char *argv[])
+{
+    if (argc != 1) {
+        TEST_error("Usage: %s", argv[0]);
+        return EXIT_FAILURE;
+    }
+    app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
+
+    ADD_ALL_TESTS(test_kats, OSSL_NELEM(drbg_test));
+    ADD_ALL_TESTS(test_error_checks, OSSL_NELEM(drbg_test));
+    return run_tests(argv[0]);
+}
diff --git a/test/drbgtest.h b/test/drbgtest.h
new file mode 100644 (file)
index 0000000..c11b8a2
--- /dev/null
@@ -0,0 +1,579 @@
+/*
+ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Known answer tests for SP800-90 DRBG CTR mode.
+ */
+
+
+/*
+ * AES-128 use df PR
+ */
+static const unsigned char aes_128_use_df_pr_entropyinput[] = {
+    0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
+    0xc8, 0xdb, 0xff, 0x12
+};
+static const unsigned char aes_128_use_df_pr_nonce[] = {
+    0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
+};
+static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
+    0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
+    0xd7, 0xd7, 0x01, 0x67
+};
+static const unsigned char aes_128_use_df_pr_additionalinput[] = {
+    0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
+    0x9a, 0x47, 0x08, 0x76
+};
+static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
+    0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
+    0x09, 0xfb, 0xa3, 0xb6
+};
+static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
+    0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
+    0x66, 0x1c, 0xea, 0x5b
+};
+static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
+    0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
+    0x3f, 0x5e, 0x31, 0x06
+};
+static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
+    0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
+    0xa7, 0xe3, 0xa8, 0x67
+};
+static const unsigned char aes_128_use_df_pr_returnedbits[] = {
+    0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
+    0x0f, 0x38, 0x43, 0xc6
+};
+
+
+/*
+ * AES-128 use df no PR
+ */
+static const unsigned char aes_128_use_df_entropyinput[] = {
+    0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
+    0x9d, 0x7d, 0x1c, 0x9b
+};
+static const unsigned char aes_128_use_df_nonce[] = {
+    0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96,
+};
+static const unsigned char aes_128_use_df_personalizationstring[] = {
+    0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
+    0x38, 0x66, 0xba, 0x1b
+};
+static const unsigned char aes_128_use_df_additionalinput[] = {
+    0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
+    0xb5, 0xe2, 0xb2, 0x41
+};
+static const unsigned char aes_128_use_df_int_returnedbits[] = {
+    0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
+    0xe7, 0x57, 0x11, 0xb4
+};
+static const unsigned char aes_128_use_df_entropyinputreseed[] = {
+    0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
+    0xc7, 0xc4, 0x9e, 0x39
+};
+static const unsigned char aes_128_use_df_additionalinputreseed[] = {
+    0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
+    0xc8, 0x93, 0xfa, 0x84
+};
+static const unsigned char aes_128_use_df_additionalinput2[] = {
+    0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
+    0x06, 0x0c, 0x15, 0x2c
+};
+static const unsigned char aes_128_use_df_returnedbits[] = {
+    0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
+    0x46, 0x81, 0xc7, 0x19
+};
+
+
+/*
+ * AES-192 use df PR
+ */
+static const unsigned char aes_192_use_df_pr_entropyinput[] = {
+    0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
+    0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
+};
+static const unsigned char aes_192_use_df_pr_nonce[] = {
+    0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
+    0xd1, 0x80, 0x78, 0xfa
+};
+static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
+    0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
+    0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
+    0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
+};
+static const unsigned char aes_192_use_df_pr_additionalinput[] = {
+    0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
+    0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
+    0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
+};
+static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
+    0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
+    0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5,
+};
+static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
+    0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
+    0x19, 0x30, 0x6b, 0x67
+};
+static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
+    0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
+    0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
+    0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
+};
+static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
+    0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
+    0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e,
+};
+static const unsigned char aes_192_use_df_pr_returnedbits[] = {
+    0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
+    0x7e, 0x1a, 0x2b, 0x83
+};
+
+
+/*
+ * AES-192 use df no PR
+ */
+static const unsigned char aes_192_use_df_entropyinput[] = {
+    0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
+    0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b,
+};
+static const unsigned char aes_192_use_df_nonce[] = {
+    0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
+    0x77, 0xd7, 0x41, 0x0e
+};
+static const unsigned char aes_192_use_df_personalizationstring[] = {
+    0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
+    0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
+    0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
+};
+static const unsigned char aes_192_use_df_additionalinput[] = {
+    0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
+    0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
+    0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
+};
+static const unsigned char aes_192_use_df_int_returnedbits[] = {
+    0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
+    0xb7, 0xed, 0xe9, 0xea
+};
+static const unsigned char aes_192_use_df_entropyinputreseed[] = {
+    0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
+    0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01,
+};
+static const unsigned char aes_192_use_df_additionalinputreseed[] = {
+    0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
+    0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
+    0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
+};
+static const unsigned char aes_192_use_df_additionalinput2[] = {
+    0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
+    0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
+    0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
+};
+static const unsigned char aes_192_use_df_returnedbits[] = {
+    0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
+    0x1a, 0xf9, 0x13, 0x28
+};
+
+
+/*
+ * AES-256 use df PR
+ */
+static const unsigned char aes_256_use_df_pr_entropyinput[] = {
+    0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
+    0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
+    0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
+};
+static const unsigned char aes_256_use_df_pr_nonce[] = {
+    0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
+    0x2b, 0x36, 0xff, 0xa4
+};
+static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
+    0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
+    0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
+    0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
+};
+static const unsigned char aes_256_use_df_pr_additionalinput[] = {
+    0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
+    0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
+    0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
+};
+static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
+    0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
+    0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
+    0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
+};
+static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
+    0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
+    0x17, 0xab, 0x3c, 0x7a
+};
+static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
+    0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
+    0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
+    0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
+};
+static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
+    0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
+    0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
+    0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
+};
+static const unsigned char aes_256_use_df_pr_returnedbits[] = {
+    0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
+    0xd9, 0xe2, 0x97, 0x00
+};
+
+
+/*
+ * AES-256 use df no PR
+ */
+static const unsigned char aes_256_use_df_entropyinput[] = {
+    0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
+    0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
+    0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
+};
+static const unsigned char aes_256_use_df_nonce[] = {
+    0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
+    0x4c, 0x44, 0x84, 0x40
+};
+static const unsigned char aes_256_use_df_personalizationstring[] = {
+    0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
+    0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
+    0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
+};
+static const unsigned char aes_256_use_df_additionalinput[] = {
+    0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
+    0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
+    0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
+};
+static const unsigned char aes_256_use_df_int_returnedbits[] = {
+    0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
+    0x28, 0x0c, 0x3b, 0xc1
+};
+static const unsigned char aes_256_use_df_entropyinputreseed[] = {
+    0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
+    0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
+    0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
+};
+static const unsigned char aes_256_use_df_additionalinputreseed[] = {
+    0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
+    0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
+    0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
+};
+static const unsigned char aes_256_use_df_additionalinput2[] = {
+    0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
+    0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
+    0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
+};
+static const unsigned char aes_256_use_df_returnedbits[] = {
+    0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
+    0xfa, 0xfd, 0x35, 0x5e
+};
+
+
+/*
+ * AES-128 no df PR
+ */
+static const unsigned char aes_128_no_df_pr_entropyinput[] = {
+    0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
+    0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
+    0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
+};
+static const unsigned char aes_128_no_df_pr_nonce[] = {
+    0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1,
+};
+static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
+    0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
+    0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
+    0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
+};
+static const unsigned char aes_128_no_df_pr_additionalinput[] = {
+    0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
+    0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
+    0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
+};
+static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
+    0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
+    0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
+    0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
+};
+static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
+    0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
+    0xaf, 0x19, 0x32, 0x16
+};
+static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
+    0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
+    0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
+    0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
+};
+static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
+    0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
+    0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
+    0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
+};
+static const unsigned char aes_128_no_df_pr_returnedbits[] = {
+    0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
+    0x57, 0x82, 0x33, 0xaf
+};
+
+
+/*
+ * AES-128 no df no PR
+ */
+static const unsigned char aes_128_no_df_entropyinput[] = {
+    0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
+    0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
+    0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
+};
+static const unsigned char aes_128_no_df_nonce[] = {
+    0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13,
+};
+static const unsigned char aes_128_no_df_personalizationstring[] = {
+    0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
+    0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
+    0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
+};
+static const unsigned char aes_128_no_df_additionalinput[] = {
+    0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
+    0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
+    0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
+};
+static const unsigned char aes_128_no_df_int_returnedbits[] = {
+    0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
+    0xed, 0x3e, 0x65, 0xc2
+};
+static const unsigned char aes_128_no_df_entropyinputreseed[] = {
+    0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
+    0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
+    0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
+};
+static const unsigned char aes_128_no_df_additionalinputreseed[] = {
+    0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
+    0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
+    0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
+};
+static const unsigned char aes_128_no_df_additionalinput2[] = {
+    0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
+    0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
+    0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
+};
+static const unsigned char aes_128_no_df_returnedbits[] = {
+    0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
+    0x81, 0x37, 0x19, 0xd4
+};
+
+
+/*
+ * AES-192 no df PR
+ */
+static const unsigned char aes_192_no_df_pr_entropyinput[] = {
+    0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
+    0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
+    0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
+    0x17, 0x1f, 0x8d, 0x9a
+};
+static const unsigned char aes_192_no_df_pr_nonce[] = {
+    0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
+    0x61, 0x5c, 0xee, 0x0f
+};
+static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
+    0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
+    0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
+    0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
+    0x57, 0x2e, 0xe7, 0x55
+};
+static const unsigned char aes_192_no_df_pr_additionalinput[] = {
+    0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
+    0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
+    0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
+    0xe2, 0xd0, 0x0c, 0x2f
+};
+static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
+    0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
+    0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
+    0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
+    0x1d, 0x30, 0xb3, 0x78
+};
+static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
+    0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
+    0x7e, 0x3e, 0x0c, 0x26
+};
+static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
+    0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
+    0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
+    0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
+    0x0c, 0x4b, 0xee, 0x6e
+};
+static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
+    0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
+    0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
+    0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
+    0x8e, 0x0a, 0x83, 0xdf
+};
+static const unsigned char aes_192_no_df_pr_returnedbits[] = {
+    0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
+    0xb9, 0xa1, 0x21, 0x68
+};
+
+
+/*
+ * AES-192 no df no PR
+ */
+static const unsigned char aes_192_no_df_entropyinput[] = {
+    0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
+    0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
+    0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
+    0x94, 0xc3, 0x59, 0x63
+};
+static const unsigned char aes_192_no_df_nonce[] = {
+    0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
+    0x29, 0xfd, 0x45, 0x71
+};
+static const unsigned char aes_192_no_df_personalizationstring[] = {
+    0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
+    0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
+    0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
+    0x3b, 0x88, 0xce, 0x35
+};
+static const unsigned char aes_192_no_df_additionalinput[] = {
+    0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
+    0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
+    0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
+    0x3e, 0xbe, 0xd4, 0x8e
+};
+static const unsigned char aes_192_no_df_int_returnedbits[] = {
+    0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
+    0x45, 0xe7, 0x4a, 0xc5
+};
+static const unsigned char aes_192_no_df_entropyinputreseed[] = {
+    0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
+    0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
+    0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
+    0x9b, 0xcb, 0x7e, 0x75
+};
+static const unsigned char aes_192_no_df_additionalinputreseed[] = {
+    0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
+    0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
+    0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
+    0x5d, 0x7a, 0x25, 0x79
+};
+static const unsigned char aes_192_no_df_additionalinput2[] = {
+    0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
+    0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
+    0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
+    0x91, 0x6a, 0xe3, 0x5f
+};
+static const unsigned char aes_192_no_df_returnedbits[] = {
+    0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
+    0x66, 0x67, 0x2c, 0x92
+};
+
+
+/*
+ * AES-256 no df PR
+ */
+static const unsigned char aes_256_no_df_pr_entropyinput[] = {
+    0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
+    0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
+    0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
+    0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c,
+};
+static const unsigned char aes_256_no_df_pr_nonce[] = {
+    0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
+    0xcc, 0x4b, 0xee, 0x2e
+};
+static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
+    0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
+    0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
+    0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
+    0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06,
+};
+static const unsigned char aes_256_no_df_pr_additionalinput[] = {
+    0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
+    0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
+    0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
+    0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e,
+};
+static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
+    0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
+    0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
+    0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
+    0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f,
+};
+static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
+    0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
+    0x79, 0x60, 0x93, 0xcf
+};
+static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
+    0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
+    0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
+    0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
+    0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb,
+};
+static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
+    0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
+    0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
+    0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
+    0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f,
+};
+static const unsigned char aes_256_no_df_pr_returnedbits[] = {
+    0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
+    0x2d, 0x5f, 0x4a, 0x46
+};
+
+
+/*
+ * AES-256 no df no PR
+ */
+static const unsigned char aes_256_no_df_entropyinput[] = {
+    0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
+    0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
+    0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
+    0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3,
+};
+static const unsigned char aes_256_no_df_nonce[] = {
+    0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
+    0x43, 0x96, 0xb9, 0xf0
+};
+static const unsigned char aes_256_no_df_personalizationstring[] = {
+    0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
+    0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
+    0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
+    0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d,
+};
+static const unsigned char aes_256_no_df_additionalinput[] = {
+    0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
+    0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
+    0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
+    0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17,
+};
+static const unsigned char aes_256_no_df_int_returnedbits[] = {
+    0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
+    0xd2, 0x25, 0x75, 0x0e
+};
+static const unsigned char aes_256_no_df_entropyinputreseed[] = {
+    0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
+    0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
+    0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
+    0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb,
+};
+static const unsigned char aes_256_no_df_additionalinputreseed[] = {
+    0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
+    0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
+    0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
+    0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29,
+};
+static const unsigned char aes_256_no_df_additionalinput2[] = {
+    0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
+    0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
+    0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
+    0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6,
+};
+static const unsigned char aes_256_no_df_returnedbits[] = {
+    0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
+    0xf6, 0x02, 0x32, 0xe2
+};
index 3b175fa..64840db 100644 (file)
@@ -6,7 +6,12 @@
 # in the file LICENSE in the source distribution or at
 # https://www.openssl.org/source/license.html
 
+use strict;
+use warnings;
+use OpenSSL::Test;
 
-use OpenSSL::Test::Simple;
+plan tests => 2;
+setup("test_rand");
 
-simple_test("test_rand", "randtest", "rand");
+ok(run(test(["randtest"])));
+ok(run(test(["drbgtest"])));
index 4369694..136fbaf 100644 (file)
@@ -4345,3 +4345,16 @@ OSSL_STORE_LOADER_get0_engine           4287     1_1_1   EXIST::FUNCTION:
 OPENSSL_fork_prepare                    4288   1_1_1   EXIST:UNIX:FUNCTION:
 OPENSSL_fork_parent                     4289   1_1_1   EXIST:UNIX:FUNCTION:
 OPENSSL_fork_child                      4290   1_1_1   EXIST:UNIX:FUNCTION:
+RAND_drbg                               4291   1_1_1   EXIST::FUNCTION:
+RAND_DRBG_instantiate                   4292   1_1_1   EXIST::FUNCTION:
+RAND_DRBG_uninstantiate                 4293   1_1_1   EXIST::FUNCTION:
+RAND_DRBG_get_default                   4294   1_1_1   EXIST::FUNCTION:
+RAND_DRBG_set                           4295   1_1_1   EXIST::FUNCTION:
+RAND_DRBG_set_callbacks                 4296   1_1_1   EXIST::FUNCTION:
+RAND_DRBG_new                           4297   1_1_1   EXIST::FUNCTION:
+RAND_DRBG_set_reseed_interval           4298   1_1_1   EXIST::FUNCTION:
+RAND_DRBG_free                          4299   1_1_1   EXIST::FUNCTION:
+RAND_DRBG_generate                      4300   1_1_1   EXIST::FUNCTION:
+RAND_DRBG_reseed                        4301   1_1_1   EXIST::FUNCTION:
+RAND_DRBG_set_ex_data                   4302   1_1_1   EXIST::FUNCTION:
+RAND_DRBG_get_ex_data                   4303   1_1_1   EXIST::FUNCTION:
index 6315a5b..b3eb6b3 100755 (executable)
@@ -246,6 +246,7 @@ my $crypto ="include/internal/dso.h";
 $crypto.=" include/internal/o_dir.h";
 $crypto.=" include/internal/o_str.h";
 $crypto.=" include/internal/err.h";
+$crypto.=" include/internal/rand.h";
 foreach my $f ( glob(catfile($config{sourcedir},'include/openssl/*.h')) ) {
     my $fn = "include/openssl/" . lc(basename($f));
     $crypto .= " $fn" if !defined $skipthese{$fn} && $f !~ m@/[a-z]+err\.h$@;