1 /* fips/rand/fips_drbg_selftest.c */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5 /* ====================================================================
6 * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
54 #define OPENSSL_FIPSAPI
57 #include <openssl/crypto.h>
58 #include <openssl/err.h>
59 #include <openssl/fips_rand.h>
60 #include "fips_rand_lcl.h"
61 #include "fips_locl.h"
66 const unsigned char *ent;
68 const unsigned char *nonce;
70 const unsigned char *pers;
72 const unsigned char *adin;
74 const unsigned char *entpr;
76 const unsigned char *ading;
78 const unsigned char *entg;
80 const unsigned char *kat;
84 #define make_drbg_test_data(nid, flag, pr) { nid, flag | DRBG_FLAG_TEST, \
85 pr##_entropyinput, sizeof(pr##_entropyinput), \
86 pr##_nonce, sizeof(pr##_nonce), \
87 pr##_personalizationstring, sizeof(pr##_personalizationstring), \
88 pr##_additionalinput, sizeof(pr##_additionalinput), \
89 pr##_entropyinputpr, sizeof(pr##_entropyinputpr), \
90 pr##_additionalinput2, sizeof(pr##_additionalinput2), \
91 pr##_entropyinputpr2, sizeof(pr##_entropyinputpr2), \
92 pr##_returnedbits, sizeof(pr##_returnedbits), \
95 #define make_drbg_test_data_df(nid, pr) \
96 make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr)
98 /* AES-128 use df PR */
99 static const unsigned char aes_128_use_df_entropyinput[] =
101 0x98,0x38,0x99,0x81,0x1d,0x56,0x1a,0x04,0xb0,0x50,0xcd,0x14,
105 static const unsigned char aes_128_use_df_nonce[] =
107 0xa8,0xa0,0x80,0x8a,0x65,0xb7,0x38,0x22
110 static const unsigned char aes_128_use_df_personalizationstring[] =
112 0x67,0x4f,0x85,0x01,0x15,0x51,0x85,0xdd,0x97,0xda,0xf7,0x09,
116 static const unsigned char aes_128_use_df_additionalinput[] =
118 0x01,0xba,0xa8,0x13,0x9e,0xd4,0xb7,0xff,0x86,0x34,0x01,0xa0,
122 static const unsigned char aes_128_use_df_entropyinputpr[] =
124 0x60,0x76,0xf6,0x12,0x6b,0x92,0xbe,0xd7,0x75,0x6e,0x78,0x1f,
128 static const unsigned char aes_128_use_df_additionalinput2[] =
130 0xf0,0xd6,0x5b,0xa3,0x7c,0x1e,0xa3,0x65,0x08,0xf9,0xdd,0x90,
134 static const unsigned char aes_128_use_df_entropyinputpr2[] =
136 0x34,0x55,0x02,0xa9,0x30,0xf0,0x78,0x0a,0xa2,0xae,0x74,0x46,
140 static const unsigned char aes_128_use_df_returnedbits[] =
142 0x48,0x52,0xb6,0x9f,0xf2,0xfe,0xe1,0x12,0xaf,0x22,0x87,0xd7,
147 /* AES-192 use df PR */
148 static const unsigned char aes_192_use_df_entropyinput[] =
150 0x12,0xf6,0xff,0xc5,0x81,0x8c,0x15,0xd7,0x33,0x0c,0x4f,0x45,
151 0xbf,0x2a,0x97,0xd2,0xe0,0xe0,0xbd,0x48,0x4e,0x83,0x76,0x25
154 static const unsigned char aes_192_use_df_nonce[] =
156 0x35,0xc8,0x16,0x8c,0xbd,0x1f,0x53,0xc4,0x6e,0x47,0x3a,0x74,
160 static const unsigned char aes_192_use_df_personalizationstring[] =
162 0xd6,0xe2,0x27,0x88,0xf4,0xce,0x9d,0xfc,0x92,0xde,0x07,0x57,
163 0x43,0x74,0x17,0x6e,0x63,0x54,0xaf,0x5a,0x3c,0xf8,0x23,0x65,
164 0x5a,0x15,0xb0,0x35,0x2a,0x6c,0x3c,0x3a
167 static const unsigned char aes_192_use_df_additionalinput[] =
169 0xad,0xa4,0x47,0xa4,0xcf,0x46,0x7b,0xf7,0x19,0xcc,0xda,0xbe,
170 0x11,0x42,0x85,0xaa,0x21,0x16,0x27,0xe6,0x35,0xdf,0xb5,0x87,
171 0x96,0x68,0x64,0x35,0x08,0x02,0xe9,0x19
174 static const unsigned char aes_192_use_df_entropyinputpr[] =
176 0x6f,0x41,0x2d,0x5e,0xd6,0xc9,0xf8,0x6a,0x22,0x00,0xe0,0xfb,
177 0x4b,0xcd,0xbe,0x2d,0x98,0xff,0x1b,0xe2,0xb9,0x95,0x73,0xac
180 static const unsigned char aes_192_use_df_additionalinput2[] =
182 0x51,0xea,0xd8,0x8e,0xa0,0xd7,0x9c,0x22,0x3c,0x01,0xf6,0xdb,
183 0xe9,0xe4,0x60,0x1e,0x54,0x56,0x3b,0x5c,0xd2,0xf3,0xa0,0x1d,
184 0x5c,0xd0,0x85,0x48,0xc9,0x5f,0x12,0xb7
187 static const unsigned char aes_192_use_df_entropyinputpr2[] =
189 0xf7,0x1f,0x9f,0x0e,0x14,0x30,0xde,0x4c,0xf9,0x34,0x49,0xc5,
190 0x24,0x91,0xe3,0x30,0xfd,0x5f,0x1e,0x79,0x30,0xf5,0x58,0xe6
193 static const unsigned char aes_192_use_df_returnedbits[] =
195 0x5b,0x8a,0xca,0x2e,0x74,0xb6,0x6f,0x96,0x48,0xb0,0xe4,0xc1,
200 /* AES-256 use df PR */
201 static const unsigned char aes_256_use_df_entropyinput[] =
203 0x2a,0x02,0xbe,0xaa,0xba,0xb4,0x6a,0x73,0x53,0x85,0xa9,0x2a,
204 0xae,0x4a,0xdc,0xeb,0xe8,0x07,0xfb,0xf3,0xbc,0xe3,0xf4,0x2e,
205 0x00,0x53,0x46,0x00,0x64,0x80,0xdd,0x57
208 static const unsigned char aes_256_use_df_nonce[] =
210 0x2c,0x86,0xa2,0xf9,0x70,0xb5,0xca,0xd3,0x9a,0x08,0xdc,0xb6,
214 static const unsigned char aes_256_use_df_personalizationstring[] =
216 0xdb,0x6c,0xe1,0x84,0xbe,0x07,0xae,0x55,0x4e,0x34,0x5d,0xb8,
217 0x47,0x98,0x85,0xe0,0x3d,0x3e,0x9f,0x60,0xfa,0x1c,0x7d,0x57,
218 0x19,0xe5,0x09,0xdc,0xe2,0x10,0x41,0xab
221 static const unsigned char aes_256_use_df_additionalinput[] =
223 0x1d,0xc3,0x11,0x93,0xcb,0xc4,0xf6,0xbb,0x57,0xb0,0x09,0x70,
224 0xb9,0xc6,0x05,0x86,0x4e,0x75,0x95,0x7d,0x3d,0xec,0xce,0xb4,
225 0x0b,0xe4,0xef,0xd1,0x7b,0xab,0x56,0x6f
228 static const unsigned char aes_256_use_df_entropyinputpr[] =
230 0x8f,0xb9,0xab,0xf9,0x33,0xcc,0xbe,0xc6,0xbd,0x8b,0x61,0x5a,
231 0xec,0xc6,0x4a,0x5b,0x03,0x21,0xe7,0x37,0x03,0x02,0xbc,0xa5,
232 0x28,0xb9,0xfe,0x7a,0xa8,0xef,0x6f,0xb0
235 static const unsigned char aes_256_use_df_additionalinput2[] =
237 0xd6,0x98,0x63,0x48,0x94,0x9f,0x26,0xf7,0x1f,0x44,0x13,0x23,
238 0xa7,0xde,0x09,0x12,0x90,0x04,0xce,0xbc,0xac,0x82,0x70,0x58,
239 0xba,0x7d,0xdc,0x25,0x1e,0xe4,0xbf,0x7c
242 static const unsigned char aes_256_use_df_entropyinputpr2[] =
244 0xe5,0x04,0xef,0x7c,0x8d,0x02,0xd7,0x68,0x95,0x4c,0x64,0x34,
245 0x30,0x3a,0xcb,0x07,0xc9,0x0a,0xef,0x26,0xc6,0x57,0x43,0xfb,
246 0x7d,0xbe,0xe2,0x61,0x75,0xcd,0xee,0x34
249 static const unsigned char aes_256_use_df_returnedbits[] =
251 0x75,0x6d,0x16,0xef,0x14,0xae,0xd9,0xc2,0x28,0x0b,0x66,0xff,
256 /* AES-128 no df PR */
257 static const unsigned char aes_128_no_df_entropyinput[] =
259 0xbe,0x91,0xb9,0x09,0x91,0x13,0x0b,0xbd,0x7b,0x95,0x77,0xed,
260 0xf2,0x00,0xff,0x2a,0xec,0xbd,0x7a,0x11,0x59,0xe1,0x32,0x1a,
261 0xe3,0x9a,0xbd,0xa2,0xe4,0xd9,0x1a,0x39
264 static const unsigned char aes_128_no_df_nonce[] =
266 0x39,0xeb,0x7a,0x42,0x0b,0x7f,0x4f,0xd5
269 static const unsigned char aes_128_no_df_personalizationstring[] =
271 0xd0,0xe4,0x9c,0xf6,0x2f,0xc8,0xba,0x6d,0xb9,0x91,0x8f,0xc1,
272 0x45,0x5b,0xb9,0x4f,0xdb,0x36,0xd6,0x71,0x2c,0x4b,0x2a,0x4c,
273 0x50,0x4c,0x74,0xdb,0xc5,0x20,0x0b,0x3b
276 static const unsigned char aes_128_no_df_additionalinput[] =
278 0x7c,0x35,0x81,0x03,0x58,0x93,0x24,0xf7,0x9c,0x98,0x4a,0x9d,
279 0x94,0xbd,0x9d,0x77,0x64,0xda,0xa4,0x67,0x66,0xb7,0x43,0xde,
280 0xc5,0xd5,0x72,0x42,0x5a,0x7c,0x41,0x9f
283 static const unsigned char aes_128_no_df_entropyinputpr[] =
285 0x63,0xf6,0x0e,0xfe,0x56,0xad,0x8f,0x37,0xa8,0xa1,0x6a,0x83,
286 0x01,0xac,0x51,0xe0,0x86,0x26,0xce,0x5c,0x57,0x14,0xd8,0xde,
287 0x4d,0x93,0xb6,0x35,0xf4,0x85,0x18,0x60
290 static const unsigned char aes_128_no_df_additionalinput2[] =
292 0x90,0x0f,0x35,0x81,0xc5,0xf5,0xc8,0x1b,0x80,0x99,0xcd,0xe2,
293 0xbb,0xe2,0xc7,0x65,0x40,0x74,0x50,0x2b,0x89,0xb4,0x16,0x60,
294 0xd7,0x1e,0x15,0xbf,0x91,0xc9,0x15,0xc2
297 static const unsigned char aes_128_no_df_entropyinputpr2[] =
299 0xc7,0x9f,0xd6,0x9b,0xe2,0x74,0x3e,0x8c,0x12,0xdd,0x41,0xcd,
300 0x51,0x6b,0xd4,0x71,0x3e,0xd0,0x36,0xc7,0xb9,0xa6,0xaf,0xca,
301 0xc0,0x7e,0x89,0xc4,0x88,0x2b,0x4e,0x43
304 static const unsigned char aes_128_no_df_returnedbits[] =
306 0x8c,0x7f,0x69,0xbf,0xb8,0x07,0x17,0xa6,0x09,0xef,0xd2,0x0a,
311 /* AES-192 no df PR */
312 static const unsigned char aes_192_no_df_entropyinput[] =
314 0xd5,0xcb,0x5b,0xc5,0x5b,0xa6,0x97,0xb6,0x1e,0x57,0x92,0xbb,
315 0x14,0x72,0xeb,0xae,0x44,0x85,0x99,0xa3,0xa3,0x24,0xe5,0x91,
316 0x2e,0x34,0xa7,0x3f,0x48,0x7a,0xc4,0x72,0x54,0x65,0xe6,0x57,
320 static const unsigned char aes_192_no_df_nonce[] =
322 0x74,0x7a,0x38,0x81,0xef,0xca,0xd1,0xb6,0x7b,0xb5,0x1e,0x62,
326 static const unsigned char aes_192_no_df_personalizationstring[] =
328 0x03,0xf8,0xbe,0xe8,0x6a,0x90,0x2a,0x4f,0xbd,0x80,0xd0,0x31,
329 0xf0,0x59,0xa3,0xf6,0x87,0xd8,0x8d,0x0d,0xac,0x27,0xa2,0xd2,
330 0x91,0x72,0xa5,0xc1,0x07,0xac,0xbf,0xdb,0x5d,0xa1,0x7d,0x56,
334 static const unsigned char aes_192_no_df_additionalinput[] =
336 0x3e,0x89,0x1b,0x17,0xcb,0xe3,0xc8,0x76,0x71,0x0d,0xaf,0x97,
337 0x1e,0x73,0xa6,0xc4,0x88,0x3d,0x46,0xad,0xf0,0xba,0xc3,0x7e,
338 0x17,0x10,0x0d,0x20,0x80,0x23,0x26,0xcc,0xe6,0xc4,0xc4,0xd8,
342 static const unsigned char aes_192_no_df_entropyinputpr[] =
344 0x3f,0x33,0xb8,0x1b,0xe1,0x1b,0xe7,0xbe,0x68,0x6f,0xd2,0xd8,
345 0x6f,0xb6,0xf0,0xd2,0xa1,0x1c,0x83,0x24,0xfe,0x5d,0xf2,0xe9,
346 0x4b,0xf0,0x63,0xa2,0xd8,0x76,0x9e,0x49,0x78,0x64,0x1f,0x98,
350 static const unsigned char aes_192_no_df_additionalinput2[] =
352 0x54,0x48,0xf9,0x6a,0x86,0x93,0xf3,0x7b,0x02,0x1b,0xf6,0x46,
353 0x3a,0x49,0x02,0x87,0x3f,0x54,0x82,0x7f,0xa1,0x45,0x41,0xa5,
354 0x88,0x4b,0xaa,0x90,0x12,0x40,0x46,0x22,0xed,0x7a,0x72,0xf7,
358 static const unsigned char aes_192_no_df_entropyinputpr2[] =
360 0x00,0xdf,0xa1,0x50,0xc1,0xb9,0x82,0x7f,0x65,0xea,0x0f,0x14,
361 0x79,0xfe,0x6a,0x95,0x4b,0x96,0xae,0x89,0x28,0x52,0x49,0x05,
362 0xd9,0x00,0x9e,0x79,0x5e,0x04,0xdb,0xbb,0xec,0x09,0x16,0x53,
366 static const unsigned char aes_192_no_df_returnedbits[] =
368 0x48,0xd6,0x66,0x61,0x93,0x8d,0xff,0x7d,0x42,0xf4,0x41,0x9a,
373 /* AES-256 no df PR */
374 static const unsigned char aes_256_no_df_entropyinput[] =
376 0x7e,0x83,0x3f,0xa6,0x39,0xdc,0xcb,0x38,0x17,0x6a,0xa3,0x59,
377 0xa9,0x8c,0x1f,0x50,0xd3,0xdb,0x34,0xdd,0xa4,0x39,0x65,0xe4,
378 0x77,0x17,0x08,0x57,0x49,0x04,0xbd,0x68,0x5c,0x7d,0x2a,0xee,
379 0x0c,0xf2,0xfb,0x16,0xef,0x16,0x18,0x4d,0x32,0x6a,0x26,0x6c
382 static const unsigned char aes_256_no_df_nonce[] =
384 0xa3,0x8a,0xa4,0x6d,0xa6,0xc1,0x40,0xf8,0xa3,0x02,0xf1,0xac,
388 static const unsigned char aes_256_no_df_personalizationstring[] =
390 0xc0,0x54,0x1e,0xa5,0x93,0xd9,0x8b,0x2b,0x43,0x15,0x2c,0x07,
391 0x26,0x25,0xc7,0x08,0xf0,0xb3,0x4b,0x44,0x96,0xfe,0xc7,0xc5,
392 0x64,0x27,0xaa,0x78,0x5b,0xbc,0x40,0x51,0xce,0x89,0x6b,0xc1,
393 0x3f,0x9c,0xa0,0x5c,0x75,0x98,0x24,0xc5,0xe1,0x3e,0x86,0xdb
396 static const unsigned char aes_256_no_df_additionalinput[] =
398 0x0e,0xe3,0x0f,0x07,0x90,0xe2,0xde,0x20,0xb6,0xf7,0x6f,0xef,
399 0x87,0xdc,0x7f,0xc4,0x0d,0x9d,0x05,0x31,0x91,0x87,0x8c,0x9a,
400 0x19,0x53,0xd2,0xf8,0x20,0x91,0xa0,0xef,0x97,0x59,0xea,0x12,
401 0x1b,0x2f,0x29,0x74,0x76,0x35,0xf7,0x71,0x5a,0x96,0xeb,0xbc
404 static const unsigned char aes_256_no_df_entropyinputpr[] =
406 0x37,0x26,0x9a,0xa6,0x28,0xe0,0x35,0x78,0x12,0x42,0x44,0x5c,
407 0x55,0xbc,0xc8,0xb6,0x1f,0x24,0xf3,0x32,0x88,0x02,0x69,0xa7,
408 0xed,0x1d,0xb7,0x4d,0x8b,0x44,0x12,0x21,0x5e,0x60,0x53,0x96,
409 0x3b,0xb9,0x31,0x7f,0x2a,0x87,0xbf,0x3c,0x07,0xbb,0x27,0x22
412 static const unsigned char aes_256_no_df_additionalinput2[] =
414 0xf1,0x24,0x35,0xa6,0x8c,0x93,0x28,0x7e,0x84,0xea,0x3d,0x27,
415 0x44,0x18,0xc9,0x13,0x73,0x49,0xb9,0x83,0x79,0x15,0x29,0x53,
416 0x2f,0xef,0x43,0x06,0xe7,0xcb,0x5c,0x0f,0x9f,0x10,0x4c,0x60,
417 0x7f,0xbf,0x0c,0x37,0x9b,0xe4,0x94,0x26,0xe5,0x3b,0xf5,0x63
420 static const unsigned char aes_256_no_df_entropyinputpr2[] =
422 0xdc,0x91,0x48,0x11,0x63,0x7b,0x79,0x41,0x36,0x8c,0x4f,0xe2,
423 0xc9,0x84,0x04,0x9c,0xdc,0x5b,0x6c,0x8d,0x61,0x52,0xea,0xfa,
424 0x92,0x3b,0xb4,0x36,0x4c,0x06,0x4a,0xd1,0xb1,0x8e,0x32,0x03,
425 0xfd,0xa4,0xf7,0x5a,0xa6,0x5c,0x63,0xa1,0xb9,0x96,0xfa,0x12
428 static const unsigned char aes_256_no_df_returnedbits[] =
430 0x1c,0xba,0xfd,0x48,0x0f,0xf4,0x85,0x63,0xd6,0x7d,0x91,0x14,
435 static const unsigned char sha1_entropyinput[] =
437 0x5b,0xaf,0x30,0x1a,0xdc,0xd1,0x04,0xd7,0x95,0x72,0xd2,0xfb,
441 static const unsigned char sha1_nonce[] =
443 0xf3,0xd9,0xcb,0x92,0x5f,0x50,0x4c,0x99
446 static const unsigned char sha1_personalizationstring[] =
448 0x8f,0x56,0x70,0xd9,0x27,0xa2,0xb4,0xf1,0xb3,0xad,0xcf,0x10,
452 static const unsigned char sha1_additionalinput[] =
454 0x49,0xdd,0x0c,0xb4,0xab,0x84,0xe1,0x7e,0x94,0x20,0xad,0x6c,
458 static const unsigned char sha1_entropyinputpr[] =
460 0x23,0x4a,0xaf,0xf7,0x1a,0x0b,0x7e,0x51,0xdd,0x23,0x51,0x82,
464 static const unsigned char sha1_additionalinput2[] =
466 0x59,0xe6,0x93,0xcb,0x38,0x23,0xf5,0x7b,0x93,0x5a,0x4d,0xfa,
470 static const unsigned char sha1_entropyinputpr2[] =
472 0x2e,0x00,0x78,0x5a,0xcd,0x30,0xea,0x73,0x37,0x8a,0x0d,0x12,
476 static const unsigned char sha1_returnedbits[] =
478 0xe7,0x87,0x8b,0x01,0xc1,0xd3,0xd8,0x43,0xd4,0x8f,0xcd,0x24,
479 0x54,0x67,0xa2,0x6e,0x17,0x94,0x73,0x1c
484 static const unsigned char sha224_entropyinput[] =
486 0xfc,0x31,0xc1,0x87,0x43,0x07,0xb1,0xe5,0x71,0x48,0x5d,0x0e,
487 0xad,0xf8,0x68,0x09,0x6f,0xfe,0x80,0x2a,0xc1,0x12,0xb8,0xa6
490 static const unsigned char sha224_nonce[] =
492 0xfd,0xba,0x25,0x2e,0xc1,0x7c,0x4e,0xa1,0x4d,0xef,0xeb,0x5d
495 static const unsigned char sha224_personalizationstring[] =
497 0xc9,0x15,0xe4,0x8c,0x2a,0x4c,0xc9,0xe6,0x23,0x5c,0xb8,0x5a,
498 0x97,0x89,0x6a,0x10,0x75,0x68,0x27,0x00,0x0e,0x6f,0x44,0x1e
501 static const unsigned char sha224_additionalinput[] =
503 0xd3,0xab,0x74,0x74,0xe7,0x80,0x87,0x9e,0x89,0x08,0xbe,0xf1,
504 0x99,0x09,0x26,0xa4,0x2b,0x8c,0xb7,0xa0,0xc2,0xcc,0xae,0x0a
507 static const unsigned char sha224_entropyinputpr[] =
509 0xbd,0xc1,0x21,0x62,0x43,0x19,0x25,0x15,0x19,0xc5,0xcd,0x53,
510 0x9e,0xb4,0x17,0xff,0xaa,0x03,0xf6,0x5a,0x4d,0x69,0x28,0x0b
513 static const unsigned char sha224_additionalinput2[] =
515 0xdb,0xf5,0x57,0xea,0x5b,0xc8,0x0a,0xa9,0x32,0x72,0xcf,0x7d,
516 0xa4,0xeb,0x4f,0xbf,0x64,0x5d,0x74,0x04,0x0e,0x4e,0x0f,0xed
519 static const unsigned char sha224_entropyinputpr2[] =
521 0xab,0xce,0xe1,0xfd,0xaa,0x35,0x5c,0x0a,0xfe,0xd8,0x18,0xac,
522 0x92,0x79,0x79,0x53,0xbc,0xb5,0x45,0xf6,0xf9,0x73,0x7f,0x24
525 static const unsigned char sha224_returnedbits[] =
527 0xb2,0xc2,0x40,0xc4,0x2a,0x25,0x63,0xdb,0x99,0x59,0x7b,0x7b,
528 0xee,0xdb,0x51,0x8d,0x18,0x4c,0x09,0x26,0x22,0x1a,0xe9,0x76,
534 static const unsigned char sha256_entropyinput[] =
536 0xbc,0x67,0x4e,0x95,0xf1,0xca,0x71,0xdd,0xd3,0x97,0x3a,0x39,
537 0x3f,0x3d,0x7f,0xf2,0x99,0x02,0xcf,0x12,0x02,0xea,0xcc,0xf3,
538 0xd7,0xe7,0xcc,0x08,0x6c,0x41,0xb1,0xed
541 static const unsigned char sha256_nonce[] =
543 0x44,0x06,0xa7,0x61,0x15,0x0a,0x6a,0x2d,0xa9,0x18,0x10,0xb5,
547 static const unsigned char sha256_personalizationstring[] =
549 0x8f,0x39,0xd5,0x6a,0x46,0xde,0xa2,0x57,0xdf,0x39,0xdb,0xca,
550 0x13,0xca,0x51,0x0f,0x43,0x2a,0x77,0x3a,0x38,0x7a,0x3b,0x35,
551 0x1e,0x13,0x26,0x0e,0xc1,0x6b,0xb6,0x81
554 static const unsigned char sha256_additionalinput[] =
556 0x95,0x01,0xbe,0x52,0xaa,0xc4,0x32,0x5a,0x3c,0xea,0x57,0xc4,
557 0x5c,0xfa,0x25,0x4e,0xc5,0xf3,0xc2,0xa6,0x39,0xce,0x00,0x97,
558 0x19,0x50,0x17,0x71,0x44,0x13,0xa5,0xbd
561 static const unsigned char sha256_entropyinputpr[] =
563 0x8e,0x8a,0x19,0x03,0xa7,0x77,0xaa,0x64,0x4f,0x11,0x45,0x1d,
564 0x66,0x74,0x88,0xdf,0x2c,0x9b,0xc3,0xc8,0xbb,0x8c,0x99,0x34,
565 0xc6,0xc7,0xdb,0xc1,0x92,0xef,0xa3,0xa3
568 static const unsigned char sha256_additionalinput2[] =
570 0x2b,0x91,0x7f,0xf3,0x78,0x3f,0x18,0x73,0x7c,0x5f,0xc2,0xda,
571 0x1d,0x8c,0xc4,0xcd,0x74,0x4d,0xc1,0x7a,0x6c,0xe2,0x73,0x07,
572 0x9d,0x55,0xa8,0x42,0x69,0xc0,0x7c,0x85
575 static const unsigned char sha256_entropyinputpr2[] =
577 0x4c,0x3f,0xee,0x8b,0x98,0x0e,0x55,0x7e,0xab,0xc3,0xd3,0x0e,
578 0x35,0x33,0x72,0x75,0x9f,0x4b,0x87,0xce,0x05,0xbe,0xd4,0x6b,
579 0x70,0xec,0xdb,0x5a,0x57,0x14,0x83,0x34
582 static const unsigned char sha256_returnedbits[] =
584 0xa5,0x2c,0xab,0x93,0x63,0x57,0x5d,0x60,0x80,0x4c,0x71,0xbb,
585 0xc2,0x3d,0x43,0x13,0xd8,0xe1,0x60,0x63,0x5e,0xf8,0xb1,0x4c,
586 0x93,0x06,0x86,0x9e,0x03,0x0a,0x16,0x75
591 static const unsigned char sha384_entropyinput[] =
593 0xad,0x6c,0xfb,0xdd,0x40,0xd9,0xf1,0x0a,0xc6,0xe4,0x28,0xf9,
594 0x8c,0xb1,0x66,0xce,0x7e,0x7f,0xbb,0xea,0xcd,0x79,0x3d,0x54,
595 0xc6,0xc0,0x07,0x68,0xf0,0xb7,0x73,0xc5
598 static const unsigned char sha384_nonce[] =
600 0xfb,0xe1,0xb2,0x81,0x77,0xb0,0x14,0x94,0xae,0xbb,0x8d,0x01,
604 static const unsigned char sha384_personalizationstring[] =
606 0x02,0x8e,0xa9,0xc2,0x7e,0x0e,0x78,0xea,0x29,0xca,0x19,0xd4,
607 0x58,0x89,0x71,0x45,0x18,0xd9,0x1f,0xc0,0x8f,0x92,0x02,0xb8,
608 0x90,0xa7,0xec,0xf6,0x7f,0x33,0xa6,0x47
611 static const unsigned char sha384_additionalinput[] =
613 0x98,0x0e,0xe3,0x3c,0x8e,0x6b,0x82,0xc0,0x56,0xd0,0x93,0x14,
614 0x6a,0x79,0xa8,0xec,0x09,0xb7,0x49,0x01,0x71,0xdb,0x58,0x97,
615 0x5a,0x61,0xa5,0x4e,0xb4,0x5f,0xce,0x2b
618 static const unsigned char sha384_entropyinputpr[] =
620 0x50,0xef,0xaa,0x65,0x95,0x0d,0x4f,0x97,0x3e,0x57,0x59,0x48,
621 0xf9,0x4e,0xee,0x51,0xf8,0x46,0xec,0x4c,0x2d,0x55,0x47,0x23,
622 0xc5,0x7b,0xa3,0xda,0xe5,0x12,0x34,0x9a
625 static const unsigned char sha384_additionalinput2[] =
627 0x1c,0xcd,0xe0,0xc1,0x15,0xd4,0x7f,0xfa,0x9e,0x16,0xe7,0x6d,
628 0x22,0x55,0xfd,0x34,0x3f,0xec,0x1d,0x40,0x9e,0xdd,0x15,0x07,
629 0x13,0x1c,0x65,0x6e,0xf7,0x1c,0xb6,0xf8
632 static const unsigned char sha384_entropyinputpr2[] =
634 0xa0,0x8b,0x48,0xdc,0x7b,0x74,0x54,0xd0,0x0a,0x10,0x0e,0xc9,
635 0xf2,0xe0,0xf0,0x30,0x38,0xf5,0x46,0x27,0xf4,0x54,0x06,0x95,
636 0x56,0xab,0xf4,0x74,0xd8,0x34,0xf5,0x5d
639 static const unsigned char sha384_returnedbits[] =
641 0x03,0x54,0x62,0xaa,0x5c,0x61,0x28,0xfc,0x96,0x04,0xd6,0x4f,
642 0x50,0x5c,0x9e,0x7c,0x9e,0x1d,0x41,0x76,0x41,0xa0,0x60,0x70,
643 0x62,0x4f,0x42,0x1a,0x69,0xce,0x30,0xc4,0xf7,0x89,0xc8,0x93,
644 0xed,0xe9,0x42,0xf4,0x59,0x55,0x7c,0x6c,0xd3,0x4e,0xff,0x05
649 static const unsigned char sha512_entropyinput[] =
651 0x22,0xb1,0x72,0xe3,0xc4,0x87,0xe7,0x76,0x4e,0x85,0xb5,0xca,
652 0x86,0x4f,0x21,0x2b,0x4f,0x29,0x8e,0x8a,0xfc,0x88,0xfc,0xa1,
653 0xf6,0xd7,0xc1,0x63,0x90,0x8d,0x85,0xa9
656 static const unsigned char sha512_nonce[] =
658 0xcc,0x8b,0x86,0x21,0xa7,0xbe,0xd3,0xe1,0xde,0xd2,0x47,0xfc,
662 static const unsigned char sha512_personalizationstring[] =
664 0xb7,0x7c,0xb3,0x4f,0xf8,0xcd,0x19,0x89,0xdb,0x0c,0xcf,0xc9,
665 0xce,0xcd,0x48,0xcd,0x62,0x9c,0x51,0x38,0x85,0xe4,0x6c,0x17,
666 0x02,0x1b,0x6b,0xb5,0x3c,0x31,0x4f,0xa1
669 static const unsigned char sha512_additionalinput[] =
671 0x69,0x3f,0xcf,0xf5,0x38,0x09,0x0d,0x3c,0xfb,0xea,0x94,0xa6,
672 0xf3,0xdc,0xb3,0xa8,0xcb,0x61,0x3b,0x8d,0x8e,0x31,0x94,0xc2,
673 0xe8,0x20,0x1c,0x62,0xa0,0x54,0xc2,0x03
676 static const unsigned char sha512_entropyinputpr[] =
678 0xa0,0xcf,0x6f,0x0f,0x55,0x88,0x84,0xad,0x8d,0x2e,0x08,0x91,
679 0x8a,0x65,0xc0,0xb4,0xc9,0xbe,0x21,0x29,0xbe,0x23,0x2d,0x2b,
680 0xd1,0x81,0x90,0x66,0x97,0xb6,0xfa,0x84
683 static const unsigned char sha512_additionalinput2[] =
685 0x1f,0x5e,0x49,0xb5,0xa3,0xfa,0xe8,0x89,0xc5,0x1b,0x39,0x2b,
686 0x9e,0xc7,0x36,0x85,0x5b,0xa9,0x9f,0x91,0x79,0xfe,0x5c,0xe6,
687 0x41,0xbe,0x14,0x87,0x81,0x08,0x0d,0xee
689 /* NB: not constant so we can corrupt it */
690 static const unsigned char sha512_entropyinputpr2[] =
692 0xed,0x22,0x42,0x61,0xa7,0x4c,0xed,0xc7,0x10,0x82,0x61,0x17,
693 0xaa,0x7d,0xdb,0x4e,0x1c,0x96,0x61,0x23,0xcd,0x8f,0x84,0x77,
694 0xc3,0xa2,0x55,0xff,0xbb,0xc9,0xa6,0x2f
697 static const unsigned char sha512_returnedbits[] =
699 0x79,0x60,0x41,0xaa,0x6c,0xdd,0x17,0x28,0xc0,0x4d,0xc0,0x17,
700 0xc0,0x66,0x46,0x67,0x0d,0x20,0xe2,0x67,0x96,0xd5,0x2a,0xf4,
701 0x58,0x0a,0x06,0xab,0xc1,0x4c,0x70,0xc1,0xb8,0x9d,0x68,0x79,
702 0x28,0x07,0x38,0x4a,0xc3,0xec,0x3b,0x19,0x02,0xe7,0x13,0x82,
703 0x8f,0xc3,0xed,0x59,0x88,0xdd,0x88,0xaf,0xac,0xf0,0x57,0x6c,
708 static const unsigned char hmac_sha1_entropyinput[] =
710 0x0a,0xbe,0x45,0x75,0x79,0x56,0x5a,0xc1,0x93,0x1a,0xea,0xee,
714 static const unsigned char hmac_sha1_nonce[] =
716 0x15,0x63,0x19,0xd2,0x2f,0xec,0x42,0x84
719 static const unsigned char hmac_sha1_personalizationstring[] =
721 0xb4,0xfe,0x99,0x80,0xde,0xcf,0x1e,0x5e,0x50,0x0d,0x36,0x24,
725 static const unsigned char hmac_sha1_additionalinput[] =
727 0x5d,0xcb,0x61,0x0f,0x21,0x12,0xbf,0xdd,0x6a,0xa7,0x86,0x97,
731 static const unsigned char hmac_sha1_entropyinputpr[] =
733 0x9e,0xb3,0x11,0xa7,0xfa,0x5f,0xaa,0x99,0xec,0xf1,0xb4,0x7a,
737 static const unsigned char hmac_sha1_additionalinput2[] =
739 0x82,0x6e,0x85,0x25,0xa4,0xdc,0xdc,0xf4,0x09,0xb3,0x57,0x4a,
743 static const unsigned char hmac_sha1_entropyinputpr2[] =
745 0x8d,0x0b,0xdc,0x9a,0x62,0x49,0xb0,0xfe,0x56,0x23,0xfd,0x1d,
749 static const unsigned char hmac_sha1_returnedbits[] =
751 0x09,0xe3,0xcc,0x21,0x7e,0x78,0x83,0x7d,0x3c,0x1b,0x15,0xc7,
752 0x0c,0xe5,0xd6,0x9d,0x11,0xd7,0xe6,0xf8
756 /* HMAC SHA-224 PR */
757 static const unsigned char hmac_sha224_entropyinput[] =
759 0x98,0x49,0x8d,0x87,0x54,0xdc,0xf3,0x0f,0xe6,0x9d,0x5b,0x1f,
760 0x3b,0x23,0x0e,0x59,0x16,0x67,0x33,0xc0,0x71,0x50,0x4d,0xe3
763 static const unsigned char hmac_sha224_nonce[] =
765 0x96,0x73,0xae,0x62,0xfb,0xf4,0xb7,0x9b,0xcc,0xe9,0x84,0x7f
768 static const unsigned char hmac_sha224_personalizationstring[] =
770 0xa9,0x43,0x09,0xae,0xdd,0x11,0xc8,0x4a,0x04,0x89,0xa5,0x69,
771 0x5e,0x7c,0x80,0xd1,0xf9,0x1e,0x6d,0x8c,0xcd,0x59,0xef,0xd2
774 static const unsigned char hmac_sha224_additionalinput[] =
776 0xef,0x8f,0xfc,0x23,0x6a,0x71,0xdf,0xfa,0xf3,0xa1,0x37,0xd0,
777 0xfe,0x5e,0x3f,0x76,0x16,0xe0,0xdf,0x84,0xd7,0x01,0xc8,0xa4
780 static const unsigned char hmac_sha224_entropyinputpr[] =
782 0x5a,0xc1,0x2f,0xa3,0x52,0x1a,0x27,0xed,0x1b,0x13,0x2a,0xab,
783 0xb1,0x3d,0x2f,0x9c,0xd0,0x40,0xce,0xf2,0x0c,0x23,0x7d,0x40
786 static const unsigned char hmac_sha224_additionalinput2[] =
788 0xfe,0x48,0x55,0x54,0x87,0x83,0x50,0x11,0xc9,0x73,0x68,0x89,
789 0x1a,0x62,0xd5,0xe6,0x3b,0xc9,0x14,0x8d,0xd9,0x7e,0x83,0xef
792 static const unsigned char hmac_sha224_entropyinputpr2[] =
794 0x75,0x50,0xa6,0x64,0x0f,0xdf,0x11,0x05,0x02,0x79,0x89,0xf3,
795 0x33,0x37,0xa8,0x89,0xfe,0x0a,0x1a,0xc9,0x31,0x68,0xb2,0xa7
798 static const unsigned char hmac_sha224_returnedbits[] =
800 0xd0,0x38,0xa8,0xdf,0xfe,0xcd,0x4a,0x16,0xd6,0xec,0x20,0xac,
801 0x42,0x97,0x8c,0x5d,0x7b,0xec,0x23,0x62,0x21,0xc8,0x8e,0x76,
806 /* HMAC SHA-256 PR */
807 static const unsigned char hmac_sha256_entropyinput[] =
809 0xf8,0x48,0xab,0xfe,0x9a,0xf2,0x3d,0x9f,0x17,0xda,0xfe,0xe1,
810 0x41,0xcd,0xfc,0xa4,0x46,0x74,0xf7,0x38,0x32,0x86,0x02,0x28,
811 0xa6,0x33,0x5e,0x42,0xd9,0xce,0x95,0xe9
814 static const unsigned char hmac_sha256_nonce[] =
816 0x7a,0x26,0x5a,0xed,0x72,0xe0,0x2d,0xef,0xc3,0xa2,0x7f,0x7f,
820 static const unsigned char hmac_sha256_personalizationstring[] =
822 0xc8,0x79,0xe5,0xb6,0x19,0xc1,0xc1,0x4d,0x78,0xf8,0xfc,0xdf,
823 0x26,0xc3,0x5b,0x10,0x0f,0x37,0x25,0x04,0x50,0x06,0xc6,0x25,
824 0xe7,0xeb,0xa3,0x38,0xbb,0x55,0x3e,0xa2
827 static const unsigned char hmac_sha256_additionalinput[] =
829 0x37,0xf0,0x25,0xe1,0x03,0x4b,0xae,0x74,0xfc,0xff,0xbe,0x6b,
830 0xc1,0x93,0x23,0x66,0x95,0x54,0x67,0x1c,0x63,0x05,0xef,0xa6,
831 0xf0,0xc9,0x56,0x0c,0x61,0x4f,0x05,0x0f
834 static const unsigned char hmac_sha256_entropyinputpr[] =
836 0x91,0x62,0x41,0xa5,0x9a,0x5f,0x90,0x4d,0x53,0x75,0x11,0x0a,
837 0x86,0x1a,0x96,0x26,0x97,0x3e,0x20,0x31,0x79,0xf4,0xf8,0x4d,
838 0xf2,0x60,0x0d,0xba,0x12,0xe2,0x8f,0xa3
841 static const unsigned char hmac_sha256_additionalinput2[] =
843 0xd4,0xf8,0x6f,0x3a,0xae,0x93,0x93,0x42,0x0f,0x11,0xd7,0xe3,
844 0x07,0xfe,0x33,0x84,0xc3,0xd9,0xa2,0xe2,0xaa,0x66,0x5b,0xfa,
845 0xb7,0x37,0x56,0x35,0x17,0x78,0xfd,0xd4
848 static const unsigned char hmac_sha256_entropyinputpr2[] =
850 0xdd,0x21,0x60,0x30,0xfd,0x6d,0xea,0x1a,0x2e,0x0f,0xe3,0xcd,
851 0xb1,0x2b,0x10,0x16,0x3b,0x15,0xd0,0x92,0x93,0x1b,0xd7,0x14,
852 0x6e,0x90,0x31,0x52,0x88,0x1b,0x75,0xd5
855 static const unsigned char hmac_sha256_returnedbits[] =
857 0x8a,0x66,0x8a,0xe2,0x0d,0xe7,0xcc,0xae,0xec,0x9b,0x22,0x8e,
858 0xd1,0x0c,0xa4,0x13,0xcd,0xd9,0x4b,0xb9,0x72,0xf2,0xc2,0x12,
859 0x88,0x52,0x5d,0x90,0x67,0x69,0x38,0x22
863 /* HMAC SHA-384 PR */
864 static const unsigned char hmac_sha384_entropyinput[] =
866 0x81,0x6f,0xcc,0xe7,0x9b,0x85,0x5e,0x99,0x0d,0x74,0x39,0xe5,
867 0x65,0x9b,0xb9,0x68,0x6b,0x9e,0x76,0xff,0x78,0xef,0xc6,0xf2,
868 0x1b,0x99,0x74,0x64,0xee,0x4e,0xc0,0xfa
871 static const unsigned char hmac_sha384_nonce[] =
873 0xf8,0xce,0xb1,0xe7,0x96,0x9d,0x47,0x10,0x80,0xda,0x70,0x75,
877 static const unsigned char hmac_sha384_personalizationstring[] =
879 0x3c,0xbd,0xd5,0x1c,0x1e,0xa5,0xa9,0xe0,0x0b,0xb1,0xd4,0x2c,
880 0xcc,0xaf,0xb9,0x70,0x61,0x03,0x86,0x82,0xff,0x58,0x51,0xea,
881 0x46,0x88,0x77,0x6f,0xc6,0xc7,0x38,0xe0
884 static const unsigned char hmac_sha384_additionalinput[] =
886 0xaf,0x16,0x5f,0xcf,0x85,0xba,0xd2,0x85,0x14,0x5c,0x33,0x64,
887 0x8a,0x7b,0x26,0x9b,0xd1,0xb0,0xf4,0xcc,0xaf,0xf3,0xc4,0xfa,
888 0x1d,0x2c,0x19,0xb4,0xe6,0xfc,0x8d,0x81
891 static const unsigned char hmac_sha384_entropyinputpr[] =
893 0xff,0x63,0xb4,0x83,0x95,0xe6,0x7e,0x3c,0x35,0xee,0xb5,0x2c,
894 0x50,0x65,0x06,0x53,0xb3,0x17,0xd3,0x22,0x0c,0xdb,0xce,0x41,
895 0x9b,0xff,0xd8,0xa1,0x36,0xf7,0x1a,0xc4
898 static const unsigned char hmac_sha384_additionalinput2[] =
900 0xaa,0x2a,0xd6,0x81,0xda,0x55,0x3b,0xdd,0xa7,0x9e,0x25,0x31,
901 0xf8,0xc9,0xa3,0xb5,0x8b,0x52,0x30,0x24,0xf2,0x16,0xd3,0x0c,
902 0xcc,0x47,0x77,0x5a,0x46,0x91,0x87,0x23
905 static const unsigned char hmac_sha384_entropyinputpr2[] =
907 0xaa,0xe9,0xf6,0xcc,0xd3,0x38,0x0b,0x20,0x75,0x4a,0x3b,0x13,
908 0xc7,0xf1,0x66,0xc0,0x0e,0xfd,0xc1,0x7b,0x81,0x3f,0xd7,0x7b,
909 0x5b,0xe0,0xbe,0xc7,0x40,0xe2,0x9c,0x65
912 static const unsigned char hmac_sha384_returnedbits[] =
914 0x57,0x49,0xc1,0x59,0x99,0x5d,0xe2,0xc6,0x25,0xc5,0xdb,0xe2,
915 0xd4,0x1b,0xee,0x4c,0xd3,0x36,0xe5,0xa5,0xc8,0x93,0xcb,0xbc,
916 0xc8,0x2e,0xd6,0x45,0x3f,0x66,0xa4,0x71,0xc8,0x98,0xb9,0x97,
917 0x28,0x56,0xad,0xdb,0xfe,0x09,0x8d,0xe2,0xb3,0x04,0xae,0xf4
921 /* HMAC SHA-512 PR */
922 static const unsigned char hmac_sha512_entropyinput[] =
924 0xab,0xb5,0xbc,0x7f,0x94,0xd6,0xbe,0xc8,0x94,0xa9,0x46,0xdd,
925 0xc5,0x63,0x14,0x8e,0xdc,0xab,0x68,0x7f,0x47,0xec,0x46,0x16,
926 0x8a,0xe0,0xea,0xa3,0xda,0x5b,0x88,0xd0
929 static const unsigned char hmac_sha512_nonce[] =
931 0x6a,0xda,0xa4,0x68,0x66,0x9a,0xc8,0x34,0xef,0x21,0xe6,0xb4,
935 static const unsigned char hmac_sha512_personalizationstring[] =
937 0x69,0xa4,0x13,0xd2,0xeb,0x39,0xb6,0xdc,0x3e,0x6c,0x84,0xb8,
938 0x1b,0x0e,0x86,0x47,0xb4,0x74,0xf1,0x60,0xe6,0x66,0x7c,0x53,
939 0xbc,0x43,0x03,0xbd,0x26,0x78,0x5b,0x92
942 static const unsigned char hmac_sha512_additionalinput[] =
944 0xaf,0x33,0x2b,0x15,0x3c,0xd1,0x01,0x8b,0x24,0xe9,0x97,0x01,
945 0x13,0x52,0x4b,0x92,0xd0,0x2f,0x0e,0xd4,0xf9,0x5a,0x3b,0xe3,
946 0xff,0x14,0xb7,0xae,0x63,0xed,0x4d,0x80
949 static const unsigned char hmac_sha512_entropyinputpr[] =
951 0x0e,0xe7,0xe1,0x16,0x7d,0x6d,0x3c,0xfd,0xd2,0x69,0x2e,0xc6,
952 0xb7,0x08,0xa4,0xb5,0x93,0xe2,0xba,0xa3,0x40,0x6a,0x9a,0x13,
953 0x0d,0x94,0x99,0x7a,0xfb,0xc7,0x8f,0xca
956 static const unsigned char hmac_sha512_additionalinput2[] =
958 0xc0,0xfd,0xea,0x00,0xee,0xdd,0xf3,0x4c,0x5e,0x4a,0x97,0x04,
959 0x3c,0xf0,0x97,0xce,0x75,0x90,0xad,0x51,0xf8,0xea,0xe9,0xc2,
960 0x2c,0xec,0x4d,0xb2,0xb4,0x1b,0xa6,0x15
963 static const unsigned char hmac_sha512_entropyinputpr2[] =
965 0x63,0xfb,0x80,0xa7,0xf9,0xce,0x87,0xbd,0xe2,0xf0,0xfa,0x82,
966 0x4b,0xe2,0x7e,0xce,0x90,0xc1,0x30,0x54,0x1c,0x4e,0x9f,0x49,
967 0x82,0x3d,0x0a,0x52,0xdb,0xc0,0xda,0xb1
970 static const unsigned char hmac_sha512_returnedbits[] =
972 0x6a,0x33,0x60,0x3d,0xe4,0x83,0x39,0x46,0xb3,0x3d,0x7d,0x16,
973 0x25,0xc8,0x69,0xb3,0x94,0x17,0x6b,0x23,0xec,0x4d,0xcb,0x23,
974 0xbd,0x92,0x1c,0xfa,0xa7,0xba,0x97,0x35,0xb9,0x54,0x47,0x88,
975 0x26,0x6d,0x6d,0x3f,0xc2,0xe3,0x5c,0x56,0x2c,0x50,0x5d,0x60,
976 0x11,0x3a,0x19,0x66,0xd9,0x0e,0x7c,0x08,0xfb,0xf9,0xf2,0xb4,
983 static DRBG_SELFTEST_DATA drbg_test[] = {
984 make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df),
985 make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df),
986 make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df),
987 make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df),
988 make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df),
989 make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df),
990 make_drbg_test_data(NID_sha1, 0, sha1),
991 make_drbg_test_data(NID_sha224, 0, sha224),
992 make_drbg_test_data(NID_sha256, 0, sha256),
993 make_drbg_test_data(NID_sha384, 0, sha384),
994 make_drbg_test_data(NID_sha512, 0, sha512),
995 make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1),
996 make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224),
997 make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256),
998 make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384),
999 make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512),
1005 const unsigned char *ent;
1008 const unsigned char *nonce;
1013 static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
1014 int entropy, size_t min_len, size_t max_len)
1016 TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
1017 *pout = (unsigned char *)t->ent;
1022 static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
1023 int entropy, size_t min_len, size_t max_len)
1025 TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
1026 *pout = (unsigned char *)t->nonce;
1031 static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
1036 unsigned char randout[1024];
1037 if (!FIPS_drbg_init(dctx, td->nid, td->flags))
1039 if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
1042 FIPS_drbg_set_app_data(dctx, &t);
1045 t.entlen = td->entlen;
1046 t.nonce = td->nonce;
1047 t.noncelen = td->noncelen;
1051 if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
1055 t.entlen = td->entprlen;
1057 /* Note for CTR without DF some additional input values
1058 * ignore bytes after the keylength: so reduce adinlen
1059 * to half to ensure invalid data is fed in.
1061 if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->flags))
1062 adinlen = td->adinlen / 2;
1064 adinlen = td->adinlen;
1065 if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
1070 t.entlen = td->entglen;
1072 if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
1073 td->ading, td->adinglen))
1076 if (memcmp(randout, td->kat, td->katlen))
1083 FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
1084 FIPS_drbg_uninstantiate(dctx);
1089 /* This is the "health check" function required by SP800-90. Induce several
1090 * failure modes and check an error condition is set.
1093 static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
1095 unsigned char randout[1024];
1098 unsigned char *p = (unsigned char *)dctx;
1100 /* Initialise DRBG */
1102 if (!FIPS_drbg_init(dctx, td->nid, td->flags))
1105 if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
1108 FIPS_drbg_set_app_data(dctx, &t);
1111 t.entlen = td->entlen;
1112 t.nonce = td->nonce;
1113 t.noncelen = td->noncelen;
1117 /* Don't report induced errors */
1118 dctx->flags |= DRBG_FLAG_NOERR;
1120 /* Try too large a personalisation length */
1121 if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0)
1123 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
1127 /* Test entropy source failure detection */
1130 if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
1132 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
1136 /* Try to generate output from uninstantiated DRBG */
1137 if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
1138 td->adin, td->adinlen))
1140 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_GENERATE_ERROR_UNDETECTED);
1144 dctx->flags &= ~DRBG_FLAG_NOERR;
1145 if (!FIPS_drbg_uninstantiate(dctx))
1147 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
1151 /* Instantiate with valid data. NB: errors now reported again */
1152 if (!FIPS_drbg_init(dctx, td->nid, td->flags))
1154 if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
1156 FIPS_drbg_set_app_data(dctx, &t);
1158 t.entlen = td->entlen;
1159 if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
1162 /* Check generation is now OK */
1163 if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
1164 td->adin, td->adinlen))
1167 /* Try to generate with too high a strength.
1170 dctx->flags |= DRBG_FLAG_NOERR;
1171 if (dctx->strength != 256)
1173 if (FIPS_drbg_generate(dctx, randout, td->katlen, 256, 0,
1174 td->adin, td->adinlen))
1176 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_STRENGTH_ERROR_UNDETECTED);
1182 /* Request too much data for one request */
1183 if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, 0,
1184 td->adin, td->adinlen))
1186 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
1190 /* Check prediction resistance request fails if entropy source
1196 if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, 1,
1197 td->adin, td->adinlen))
1199 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
1203 dctx->flags &= ~DRBG_FLAG_NOERR;
1205 if (!FIPS_drbg_uninstantiate(dctx))
1207 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
1212 /* Instantiate again with valid data */
1214 if (!FIPS_drbg_init(dctx, td->nid, td->flags))
1216 if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
1218 FIPS_drbg_set_app_data(dctx, &t);
1220 t.entlen = td->entlen;
1221 /* Test reseeding works */
1222 dctx->reseed_interval = 2;
1223 if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
1226 /* Check generation is now OK */
1227 if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
1228 td->adin, td->adinlen))
1230 if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
1231 td->adin, td->adinlen))
1234 /* DRBG should now require a reseed */
1235 if (dctx->status != DRBG_STATUS_RESEED)
1237 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
1242 /* Generate again and check entropy has been requested for reseed */
1244 if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, 0,
1245 td->adin, td->adinlen))
1249 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
1253 FIPS_drbg_uninstantiate(dctx);
1254 p = (unsigned char *)&dctx->d;
1255 /* Standard says we have to check uninstantiate really zeroes
1258 for (i = 0; i < sizeof(dctx->d); i++)
1262 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
1271 /* A real error as opposed to an induced one: underlying function will
1272 * indicate the error.
1274 if (!(dctx->flags & DRBG_FLAG_NOERR))
1275 FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_FUNCTION_ERROR);
1276 FIPS_drbg_uninstantiate(dctx);
1282 int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
1285 DRBG_SELFTEST_DATA *td;
1286 for (td = drbg_test; td->nid != 0; td++)
1288 if (td->nid == nid && td->flags == flags)
1290 rv = fips_drbg_single_kat(dctx, td);
1293 return fips_drbg_health_check(dctx, td);
1299 int FIPS_selftest_drbg(void)
1302 DRBG_SELFTEST_DATA *td;
1304 dctx = FIPS_drbg_new(0, 0);
1307 for (td = drbg_test; td->nid != 0; td++)
1309 if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
1311 if (!fips_drbg_single_kat(dctx, td))
1313 fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
1317 if (!fips_drbg_health_check(dctx, td))
1319 fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
1323 if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
1326 FIPS_drbg_free(dctx);