Index: openssl-1.1.1g/crypto/fips/drbgtest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1g/crypto/fips/drbgtest.c 2020-05-15 16:20:15.962172616 +0200 @@ -0,0 +1,1179 @@ +/* + * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "internal/nelem.h" +#include +#include +#include +#include +#include +#include +#include "../crypto/rand/rand_local.h" +#include "../include/crypto/rand.h" + +#if defined(_WIN32) +# include +#endif + + +#if defined(OPENSSL_SYS_UNIX) +# include +# include +# include +#endif + +#include "../../test/drbgtest.h" + +typedef struct drbg_selftest_data_st { + int post; + int nid; + unsigned int flags; + + /* KAT data for no PR */ + const unsigned char *entropy; + size_t entropylen; + const unsigned char *nonce; + size_t noncelen; + const unsigned char *pers; + size_t perslen; + const unsigned char *adin; + size_t adinlen; + const unsigned char *entropyreseed; + size_t entropyreseedlen; + const unsigned char *adinreseed; + size_t adinreseedlen; + const unsigned char *adin2; + size_t adin2len; + const unsigned char *expected; + size_t exlen; + const unsigned char *kat2; + size_t kat2len; + + /* KAT data for PR */ + const unsigned char *entropy_pr; + size_t entropylen_pr; + const unsigned char *nonce_pr; + size_t noncelen_pr; + const unsigned char *pers_pr; + size_t perslen_pr; + const unsigned char *adin_pr; + size_t adinlen_pr; + const unsigned char *entropypr_pr; + size_t entropyprlen_pr; + const unsigned char *ading_pr; + size_t adinglen_pr; + const unsigned char *entropyg_pr; + size_t entropyglen_pr; + const unsigned char *kat_pr; + size_t katlen_pr; + const unsigned char *kat2_pr; + size_t kat2len_pr; +} DRBG_SELFTEST_DATA; + +#define make_drbg_test_data(nid, flag, pr, post) {\ + post, nid, flag, \ + pr##_entropyinput, sizeof(pr##_entropyinput), \ + pr##_nonce, sizeof(pr##_nonce), \ + pr##_personalizationstring, sizeof(pr##_personalizationstring), \ + pr##_additionalinput, sizeof(pr##_additionalinput), \ + pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \ + pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \ + pr##_additionalinput2, sizeof(pr##_additionalinput2), \ + pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \ + pr##_returnedbits, sizeof(pr##_returnedbits), \ + pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \ + pr##_pr_nonce, sizeof(pr##_pr_nonce), \ + pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \ + pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \ + pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \ + pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \ + pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \ + pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \ + pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \ + } + +#define make_drbg_test_data_use_df(nid, pr, p) \ + make_drbg_test_data(nid, 0, pr, p) + +#define make_drbg_test_data_no_df(nid, pr, p) \ + make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_NO_DF, pr, p) + +static DRBG_SELFTEST_DATA drbg_test[] = { + make_drbg_test_data_no_df (NID_aes_128_ctr, aes_128_no_df, 0), + make_drbg_test_data_no_df (NID_aes_192_ctr, aes_192_no_df, 0), + make_drbg_test_data_no_df (NID_aes_256_ctr, aes_256_no_df, 1), + make_drbg_test_data_use_df(NID_aes_128_ctr, aes_128_use_df, 0), + make_drbg_test_data_use_df(NID_aes_192_ctr, aes_192_use_df, 0), + make_drbg_test_data_use_df(NID_aes_256_ctr, aes_256_use_df, 1), +}; + +static int app_data_index; + +/* + * Test context data, attached as EXDATA to the RAND_DRBG + */ +typedef struct test_ctx_st { + const unsigned char *entropy; + size_t entropylen; + int entropycnt; + const unsigned char *nonce; + size_t noncelen; + int noncecnt; +} TEST_CTX; + +static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance) +{ + TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); + + t->entropycnt++; + *pout = (unsigned char *)t->entropy; + return t->entropylen; +} + +static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); + + t->noncecnt++; + *pout = (unsigned char *)t->nonce; + return t->noncelen; +} + + /* + * Disable CRNG testing if it is enabled. + * If the DRBG is ready or in an error state, this means an instantiate cycle + * for which the default personalisation string is used. + */ +static int disable_crngt(RAND_DRBG *drbg) +{ + static const char pers[] = DRBG_DEFAULT_PERS_STRING; + const int instantiate = drbg->state != DRBG_UNINITIALISED; + + if (drbg->get_entropy != rand_crngt_get_entropy) + return 1; + + if ((instantiate && !RAND_DRBG_uninstantiate(drbg)) + || !RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy, + &rand_drbg_cleanup_entropy, + &rand_drbg_get_nonce, + &rand_drbg_cleanup_nonce) + || (instantiate + && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers, + sizeof(pers) - 1))) + return 0; + return 1; +} + +static int uninstantiate(RAND_DRBG *drbg) +{ + int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg); + + ERR_clear_error(); + return ret; +} + +/* + * Do a single KAT test. Return 0 on failure. + */ +static int single_kat(DRBG_SELFTEST_DATA *td) +{ + RAND_DRBG *drbg = NULL; + TEST_CTX t; + int failures = 0; + unsigned char buff[1024]; + + /* + * Test without PR: Instantiate DRBG with test entropy, nonce and + * personalisation string. + */ + if ((drbg = RAND_DRBG_new(td->nid, td->flags, NULL)) == NULL) + return 0; + if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, + kat_nonce, NULL) + || !disable_crngt(drbg)) { + failures++; + goto err; + } + memset(&t, 0, sizeof(t)); + t.entropy = td->entropy; + t.entropylen = td->entropylen; + t.nonce = td->nonce; + t.noncelen = td->noncelen; + RAND_DRBG_set_ex_data(drbg, app_data_index, &t); + + if (!RAND_DRBG_instantiate(drbg, td->pers, td->perslen) + || !RAND_DRBG_generate(drbg, buff, td->exlen, 0, + td->adin, td->adinlen) + || memcmp(td->expected, buff, td->exlen)) + failures++; + + /* Reseed DRBG with test entropy and additional input */ + t.entropy = td->entropyreseed; + t.entropylen = td->entropyreseedlen; + if (!RAND_DRBG_reseed(drbg, td->adinreseed, td->adinreseedlen, 0) + || !RAND_DRBG_generate(drbg, buff, td->kat2len, 0, + td->adin2, td->adin2len) + || memcmp(td->kat2, buff, td->kat2len)) + failures++; + uninstantiate(drbg); + + /* + * Now test with PR: Instantiate DRBG with test entropy, nonce and + * personalisation string. + */ + if (!RAND_DRBG_set(drbg, td->nid, td->flags) + || !RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, + kat_nonce, NULL)) + failures++; + RAND_DRBG_set_ex_data(drbg, app_data_index, &t); + t.entropy = td->entropy_pr; + t.entropylen = td->entropylen_pr; + t.nonce = td->nonce_pr; + t.noncelen = td->noncelen_pr; + t.entropycnt = 0; + t.noncecnt = 0; + if (!RAND_DRBG_instantiate(drbg, td->pers_pr, td->perslen_pr)) + failures++; + + /* + * Now generate with PR: we need to supply entropy as this will + * perform a reseed operation. + */ + t.entropy = td->entropypr_pr; + t.entropylen = td->entropyprlen_pr; + if (!RAND_DRBG_generate(drbg, buff, td->katlen_pr, 1, + td->adin_pr, td->adinlen_pr) + || memcmp(td->kat_pr, buff, td->katlen_pr)) + failures++; + + /* + * Now generate again with PR: supply new entropy again. + */ + t.entropy = td->entropyg_pr; + t.entropylen = td->entropyglen_pr; + + if (!RAND_DRBG_generate(drbg, buff, td->kat2len_pr, 1, + td->ading_pr, td->adinglen_pr) + || memcmp(td->kat2_pr, buff, td->kat2len_pr)) + failures++; + +err: + uninstantiate(drbg); + RAND_DRBG_free(drbg); + return failures == 0; +} + +/* + * Initialise a DRBG based on selftest data + */ +static int init(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td, TEST_CTX *t) +{ + if (!RAND_DRBG_set(drbg, td->nid, td->flags) + || !RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, + kat_nonce, NULL)) + return 0; + RAND_DRBG_set_ex_data(drbg, app_data_index, t); + t->entropy = td->entropy; + t->entropylen = td->entropylen; + t->nonce = td->nonce; + t->noncelen = td->noncelen; + t->entropycnt = 0; + t->noncecnt = 0; + return 1; +} + +/* + * Initialise and instantiate DRBG based on selftest data + */ +static int instantiate(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td, + TEST_CTX *t) +{ + if (!init(drbg, td, t) + || !RAND_DRBG_instantiate(drbg, td->pers, td->perslen)) + return 0; + return 1; +} + +/* + * Perform extensive error checking as required by SP800-90. + * Induce several failure modes and check an error condition is set. + */ +static int error_check(DRBG_SELFTEST_DATA *td) +{ + static char zero[sizeof(RAND_DRBG)]; + RAND_DRBG *drbg = NULL; + TEST_CTX t; + unsigned char buff[1024]; + unsigned int reseed_counter_tmp; + int ret = 0; + + if (!(drbg = RAND_DRBG_new(0, 0, NULL)) + || !disable_crngt(drbg)) + goto err; + + /* + * Personalisation string tests + */ + + /* Test detection of too large personalisation string */ + if (!init(drbg, td, &t) + || RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1) > 0) + goto err; + + /* + * Entropy source tests + */ + + /* Test entropy source failure detection: i.e. returns no data */ + t.entropylen = 0; + if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0) + goto err; + + /* Try to generate output from uninstantiated DRBG */ + if (RAND_DRBG_generate(drbg, buff, td->exlen, 0, + td->adin, td->adinlen) + || !uninstantiate(drbg)) + goto err; + + /* Test insufficient entropy */ + if (!init(drbg, td, &t)) + goto err; + t.entropylen = drbg->min_entropylen - 1; + if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0 + || !uninstantiate(drbg)) + goto err; + + /* Test too much entropy */ + if (!init(drbg, td, &t)) + goto err; + t.entropylen = drbg->max_entropylen + 1; + if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0 + || !uninstantiate(drbg)) + goto err; + + /* + * Nonce tests + */ + + /* Test too small nonce */ + if (drbg->min_noncelen) { + if (!init(drbg, td, &t)) + goto err; + t.noncelen = drbg->min_noncelen - 1; + if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0 + || !uninstantiate(drbg)) + goto err; + } + + /* Test too large nonce */ + if (drbg->max_noncelen) { + if (!init(drbg, td, &t)) + goto err; + t.noncelen = drbg->max_noncelen + 1; + if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0 + || !uninstantiate(drbg)) + goto err; + } + + /* Instantiate with valid data, Check generation is now OK */ + if (!instantiate(drbg, td, &t) + || !RAND_DRBG_generate(drbg, buff, td->exlen, 0, + td->adin, td->adinlen)) + goto err; + + /* Request too much data for one request */ + if (RAND_DRBG_generate(drbg, buff, drbg->max_request + 1, 0, + td->adin, td->adinlen)) + goto err; + + /* Try too large additional input */ + if (RAND_DRBG_generate(drbg, buff, td->exlen, 0, + td->adin, drbg->max_adinlen + 1)) + goto err; + + /* + * Check prediction resistance request fails if entropy source + * failure. + */ + t.entropylen = 0; + if (RAND_DRBG_generate(drbg, buff, td->exlen, 1, + td->adin, td->adinlen) + || !uninstantiate(drbg)) + goto err; + + /* Instantiate again with valid data */ + if (!instantiate(drbg, td, &t)) + goto err; + reseed_counter_tmp = drbg->generate_counter; + drbg->generate_counter = drbg->reseed_interval; + + /* Generate output and check entropy has been requested for reseed */ + t.entropycnt = 0; + if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0, + td->adin, td->adinlen) + || t.entropycnt != 1 + || drbg->generate_counter != reseed_counter_tmp + 1 + || !uninstantiate(drbg)) + goto err; + + /* + * Check prediction resistance request fails if entropy source + * failure. + */ + t.entropylen = 0; + if (RAND_DRBG_generate(drbg, buff, td->exlen, 1, + td->adin, td->adinlen) + || !uninstantiate(drbg)) + goto err; + + /* Test reseed counter works */ + if (!instantiate(drbg, td, &t)) + goto err; + reseed_counter_tmp = drbg->generate_counter; + drbg->generate_counter = drbg->reseed_interval; + + /* Generate output and check entropy has been requested for reseed */ + t.entropycnt = 0; + if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0, + td->adin, td->adinlen) + || t.entropycnt != 1 + || drbg->generate_counter != reseed_counter_tmp + 1 + || !uninstantiate(drbg)) + goto err; + + /* + * Explicit reseed tests + */ + + /* Test explicit reseed with too large additional input */ + if (!instantiate(drbg, td, &t) + || RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0) > 0) + goto err; + + /* Test explicit reseed with entropy source failure */ + t.entropylen = 0; + if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0 + || !uninstantiate(drbg)) + goto err; + + /* Test explicit reseed with too much entropy */ + if (!instantiate(drbg, td, &t)) + goto err; + t.entropylen = drbg->max_entropylen + 1; + if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0 + || !uninstantiate(drbg)) + goto err; + + /* Test explicit reseed with too little entropy */ + if (!instantiate(drbg, td, &t)) + goto err; + t.entropylen = drbg->min_entropylen - 1; + if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0 + || !uninstantiate(drbg)) + goto err; + + /* Standard says we have to check uninstantiate really zeroes */ + /* + * RAND_DRBG_uninstantiate() cleanses the data via drbg_ctr_uninstantiate(), + * but right after that it resets drbg->data.ctr using RAND_DRBG_set(), so + * the following memcmp will fail. + */ +#if 0 + if (memcmp(zero, &drbg->data, sizeof(drbg->data))) + goto err; +#endif + + ret = 1; + +err: + uninstantiate(drbg); + RAND_DRBG_free(drbg); + return ret; +} + +static int test_kats(int i) +{ + DRBG_SELFTEST_DATA *td = &drbg_test[i]; + int rv = 0; + + if (!single_kat(td)) + goto err; + rv = 1; + +err: + return rv; +} + +static int test_error_checks(int i) +{ + DRBG_SELFTEST_DATA *td = &drbg_test[i]; + int rv = 0; + + if (!error_check(td)) + goto err; + rv = 1; + +err: + return rv; +} + +/* + * Hook context data, attached as EXDATA to the RAND_DRBG + */ +typedef struct hook_ctx_st { + RAND_DRBG *drbg; + /* + * Currently, all DRBGs use the same get_entropy() callback. + * The tests however, don't assume this and store + * the original callback for every DRBG separately. + */ + RAND_DRBG_get_entropy_fn get_entropy; + /* forces a failure of the get_entropy() call if nonzero */ + int fail; + /* counts successful reseeds */ + int reseed_count; +} HOOK_CTX; + +static HOOK_CTX master_ctx, public_ctx, private_ctx; + +static HOOK_CTX *get_hook_ctx(RAND_DRBG *drbg) +{ + return (HOOK_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); +} + +/* Intercepts and counts calls to the get_entropy() callback */ +static size_t get_entropy_hook(RAND_DRBG *drbg, unsigned char **pout, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance) +{ + size_t ret; + HOOK_CTX *ctx = get_hook_ctx(drbg); + + if (ctx->fail != 0) + return 0; + + ret = ctx->get_entropy(drbg, pout, entropy, min_len, max_len, + prediction_resistance); + + if (ret != 0) + ctx->reseed_count++; + return ret; +} + +/* Installs a hook for the get_entropy() callback of the given drbg */ +static void hook_drbg(RAND_DRBG *drbg, HOOK_CTX *ctx) +{ + memset(ctx, 0, sizeof(*ctx)); + ctx->drbg = drbg; + ctx->get_entropy = drbg->get_entropy; + drbg->get_entropy = get_entropy_hook; + RAND_DRBG_set_ex_data(drbg, app_data_index, ctx); +} + +/* Installs the hook for the get_entropy() callback of the given drbg */ +static void unhook_drbg(RAND_DRBG *drbg) +{ + HOOK_CTX *ctx = get_hook_ctx(drbg); + + drbg->get_entropy = ctx->get_entropy; + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data); +} + +/* Resets the given hook context */ +static void reset_hook_ctx(HOOK_CTX *ctx) +{ + ctx->fail = 0; + ctx->reseed_count = 0; +} + +/* Resets all drbg hook contexts */ +static void reset_drbg_hook_ctx(void) +{ + reset_hook_ctx(&master_ctx); + reset_hook_ctx(&public_ctx); + reset_hook_ctx(&private_ctx); +} + +/* + * Generates random output using RAND_bytes() and RAND_priv_bytes() + * and checks whether the three shared DRBGs were reseeded as + * expected. + * + * |expect_success|: expected outcome (as reported by RAND_status()) + * |master|, |public|, |private|: pointers to the three shared DRBGs + * |expect_xxx_reseed| = + * 1: it is expected that the specified DRBG is reseeded + * 0: it is expected that the specified DRBG is not reseeded + * -1: don't check whether the specified DRBG was reseeded or not + * |reseed_time|: if nonzero, used instead of time(NULL) to set the + * |before_reseed| time. + */ +static int test_drbg_reseed(int expect_success, + RAND_DRBG *master, + RAND_DRBG *public, + RAND_DRBG *private, + int expect_master_reseed, + int expect_public_reseed, + int expect_private_reseed, + time_t reseed_time + ) +{ + unsigned char buf[32]; + time_t before_reseed, after_reseed; + int expected_state = (expect_success ? DRBG_READY : DRBG_ERROR); + + /* + * step 1: check preconditions + */ + + /* Test whether seed propagation is enabled */ + if (master->reseed_counter == 0 + || public->reseed_counter == 0 + || private->reseed_counter == 0) + return 0; + + /* Check whether the master DRBG's reseed counter is the largest one */ + if (public->reseed_counter > master->reseed_counter + || private->reseed_counter > master->reseed_counter) + return 0; + + /* + * step 2: generate random output + */ + + if (reseed_time == 0) + reseed_time = time(NULL); + + /* Generate random output from the public and private DRBG */ + before_reseed = expect_master_reseed == 1 ? reseed_time : 0; + if (RAND_bytes(buf, sizeof(buf)) != expect_success + || RAND_priv_bytes(buf, sizeof(buf)) != expect_success) + return 0; + after_reseed = time(NULL); + + + /* + * step 3: check postconditions + */ + + /* Test whether reseeding succeeded as expected */ + if (master->state != expected_state + || public->state != expected_state + || private->state != expected_state) + return 0; + + if (expect_master_reseed >= 0) { + /* Test whether master DRBG was reseeded as expected */ + if (master_ctx.reseed_count != expect_master_reseed) + return 0; + } + + if (expect_public_reseed >= 0) { + /* Test whether public DRBG was reseeded as expected */ + if (public_ctx.reseed_count != expect_public_reseed) + return 0; + } + + if (expect_private_reseed >= 0) { + /* Test whether public DRBG was reseeded as expected */ + if (private_ctx.reseed_count != expect_private_reseed) + return 0; + } + + if (expect_success == 1) { + /* Test whether all three reseed counters are synchronized */ + if (public->reseed_counter != master->reseed_counter + || private->reseed_counter != master->reseed_counter) + return 0; + + /* Test whether reseed time of master DRBG is set correctly */ + if (before_reseed > master->reseed_time + || master->reseed_time > after_reseed) + return 0; + + /* Test whether reseed times of child DRBGs are synchronized with master */ + if (public->reseed_time < master->reseed_time + || private->reseed_time < master->reseed_time) + return 0; + } else { + ERR_clear_error(); + } + + return 1; +} + + +#if defined(OPENSSL_SYS_UNIX) +/* + * Test whether master, public and private DRBG are reseeded after + * forking the process. + */ +static int test_drbg_reseed_after_fork(RAND_DRBG *master, + RAND_DRBG *public, + RAND_DRBG *private) +{ + pid_t pid; + int status=0; + + pid = fork(); + if (pid < 0) + return 0; + + if (pid > 0) { + /* I'm the parent; wait for the child and check its exit code */ + return (waitpid(pid, &status, 0) == pid) && status == 0; + } + + /* I'm the child; check whether all three DRBGs reseed. */ + if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, 0)) + status = 1; + + /* Remove hooks */ + unhook_drbg(master); + unhook_drbg(public); + unhook_drbg(private); + exit(status); +} +#endif + +/* + * Test whether the default rand_method (RAND_OpenSSL()) is + * setup correctly, in particular whether reseeding works + * as designed. + */ +static int test_rand_drbg_reseed(void) +{ + RAND_DRBG *master, *public, *private; + unsigned char rand_add_buf[256]; + int rv=0; + time_t before_reseed; + + /* Check whether RAND_OpenSSL() is the default method */ + if (RAND_get_rand_method() != RAND_OpenSSL()) + return 0; + + /* All three DRBGs should be non-null */ + if (!(master = RAND_DRBG_get0_master()) + || !(public = RAND_DRBG_get0_public()) + || !(private = RAND_DRBG_get0_private())) + return 0; + + /* There should be three distinct DRBGs, two of them chained to master */ + if (public == private + || public == master + || private == master + || public->parent != master + || private->parent != master) + return 0; + + /* Disable CRNG testing for the master DRBG */ + if (!disable_crngt(master)) + return 0; + + /* uninstantiate the three global DRBGs */ + RAND_DRBG_uninstantiate(private); + RAND_DRBG_uninstantiate(public); + RAND_DRBG_uninstantiate(master); + + + /* Install hooks for the following tests */ + hook_drbg(master, &master_ctx); + hook_drbg(public, &public_ctx); + hook_drbg(private, &private_ctx); + + + /* + * Test initial seeding of shared DRBGs + */ + if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, 0)) + goto error; + reset_drbg_hook_ctx(); + + + /* + * Test initial state of shared DRBGs + */ + if (!test_drbg_reseed(1, master, public, private, 0, 0, 0, 0)) + goto error; + reset_drbg_hook_ctx(); + + /* + * Test whether the public and private DRBG are both reseeded when their + * reseed counters differ from the master's reseed counter. + */ + master->reseed_counter++; + if (!test_drbg_reseed(1, master, public, private, 0, 1, 1, 0)) + goto error; + reset_drbg_hook_ctx(); + + /* + * Test whether the public DRBG is reseeded when its reseed counter differs + * from the master's reseed counter. + */ + master->reseed_counter++; + private->reseed_counter++; + if (!test_drbg_reseed(1, master, public, private, 0, 1, 0, 0)) + goto error; + reset_drbg_hook_ctx(); + + /* + * Test whether the private DRBG is reseeded when its reseed counter differs + * from the master's reseed counter. + */ + master->reseed_counter++; + public->reseed_counter++; + if (!test_drbg_reseed(1, master, public, private, 0, 0, 1, 0)) + goto error; + reset_drbg_hook_ctx(); + +#if defined(OPENSSL_SYS_UNIX) + if (!test_drbg_reseed_after_fork(master, public, private)) + goto error; +#endif + + /* fill 'randomness' buffer with some arbitrary data */ + memset(rand_add_buf, 'r', sizeof(rand_add_buf)); + + /* + * Test whether all three DRBGs are reseeded by RAND_add(). + * The before_reseed time has to be measured here and passed into the + * test_drbg_reseed() test, because the master DRBG gets already reseeded + * in RAND_add(), whence the check for the condition + * before_reseed <= master->reseed_time will fail if the time value happens + * to increase between the RAND_add() and the test_drbg_reseed() call. + */ + before_reseed = time(NULL); + RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf)); + if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, + before_reseed)) + goto error; + reset_drbg_hook_ctx(); + + + /* + * Test whether none of the DRBGs is reseed if the master fails to reseed + */ + master_ctx.fail = 1; + master->reseed_counter++; + RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf)); + if (!test_drbg_reseed(0, master, public, private, 0, 0, 0, 0)) + goto error; + reset_drbg_hook_ctx(); + + rv = 1; + +error: + /* Remove hooks */ + unhook_drbg(master); + unhook_drbg(public); + unhook_drbg(private); + + return rv; +} + +#if defined(OPENSSL_THREADS) +static int multi_thread_rand_bytes_succeeded = 1; +static int multi_thread_rand_priv_bytes_succeeded = 1; + +static void run_multi_thread_test(void) +{ + unsigned char buf[256]; + time_t start = time(NULL); + RAND_DRBG *public = NULL, *private = NULL; + + if (!(public = RAND_DRBG_get0_public()) + || !(private = RAND_DRBG_get0_private())) { + multi_thread_rand_bytes_succeeded = 0; + return; + } + RAND_DRBG_set_reseed_time_interval(private, 1); + RAND_DRBG_set_reseed_time_interval(public, 1); + + do { + if (RAND_bytes(buf, sizeof(buf)) <= 0) + multi_thread_rand_bytes_succeeded = 0; + if (RAND_priv_bytes(buf, sizeof(buf)) <= 0) + multi_thread_rand_priv_bytes_succeeded = 0; + } + while(time(NULL) - start < 5); +} + +# if defined(OPENSSL_SYS_WINDOWS) + +typedef HANDLE thread_t; + +static DWORD WINAPI thread_run(LPVOID arg) +{ + run_multi_thread_test(); + /* + * Because we're linking with a static library, we must stop each + * thread explicitly, or so says OPENSSL_thread_stop(3) + */ + OPENSSL_thread_stop(); + return 0; +} + +static int run_thread(thread_t *t) +{ + *t = CreateThread(NULL, 0, thread_run, NULL, 0, NULL); + return *t != NULL; +} + +static int wait_for_thread(thread_t thread) +{ + return WaitForSingleObject(thread, INFINITE) == 0; +} + +# else + +typedef pthread_t thread_t; + +static void *thread_run(void *arg) +{ + run_multi_thread_test(); + /* + * Because we're linking with a static library, we must stop each + * thread explicitly, or so says OPENSSL_thread_stop(3) + */ + OPENSSL_thread_stop(); + return NULL; +} + +static int run_thread(thread_t *t) +{ + return pthread_create(t, NULL, thread_run, NULL) == 0; +} + +static int wait_for_thread(thread_t thread) +{ + return pthread_join(thread, NULL) == 0; +} + +# endif + +/* + * The main thread will also run the test, so we'll have THREADS+1 parallel + * tests running + */ +# define THREADS 3 + +static int test_multi_thread(void) +{ + thread_t t[THREADS]; + int i; + + for (i = 0; i < THREADS; i++) + run_thread(&t[i]); + run_multi_thread_test(); + for (i = 0; i < THREADS; i++) + wait_for_thread(t[i]); + + if (!multi_thread_rand_bytes_succeeded) + return 0; + if (!multi_thread_rand_priv_bytes_succeeded) + return 0; + + return 1; +} +#endif + +/* + * Test that instantiation with RAND_seed() works as expected + * + * If no os entropy source is available then RAND_seed(buffer, bufsize) + * is expected to succeed if and only if the buffer length is at least + * rand_drbg_seedlen(master) bytes. + * + * If an os entropy source is available then RAND_seed(buffer, bufsize) + * is expected to succeed always. + */ +static int test_rand_seed(void) +{ + RAND_DRBG *master = NULL; + unsigned char rand_buf[256]; + size_t rand_buflen; + size_t required_seed_buflen = 0; + + if (!(master = RAND_DRBG_get0_master()) + || !disable_crngt(master)) + return 0; + +#ifdef OPENSSL_RAND_SEED_NONE + required_seed_buflen = rand_drbg_seedlen(master); +#endif + + memset(rand_buf, 0xCD, sizeof(rand_buf)); + + for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) { + RAND_DRBG_uninstantiate(master); + RAND_seed(rand_buf, rand_buflen); + + if (RAND_status() != (rand_buflen >= required_seed_buflen)) + return 0; + } + + return 1; +} + +/* + * Test that adding additional data with RAND_add() works as expected + * when the master DRBG is instantiated (and below its reseed limit). + * + * This should succeed regardless of whether an os entropy source is + * available or not. + */ +static int test_rand_add(void) +{ + unsigned char rand_buf[256]; + size_t rand_buflen; + + memset(rand_buf, 0xCD, sizeof(rand_buf)); + + /* make sure it's instantiated */ + RAND_seed(rand_buf, sizeof(rand_buf)); + if (!RAND_status()) + return 0; + + for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) { + RAND_add(rand_buf, rand_buflen, 0.0); + if (!RAND_status()) + return 0; + } + + return 1; +} + +/* + * A list of the FIPS DRGB types. + */ +static const struct s_drgb_types { + int nid; + int flags; +} drgb_types[] = { + { NID_aes_128_ctr, 0 }, + { NID_aes_192_ctr, 0 }, + { NID_aes_256_ctr, 0 }, +}; + +/* Six cases for each covers seed sizes up to 32 bytes */ +static const size_t crngt_num_cases = 6; + +static size_t crngt_case, crngt_idx; + +static int crngt_entropy_cb(unsigned char *buf, unsigned char *md, + unsigned int *md_size) +{ + size_t i, z; + + if (crngt_idx >= crngt_num_cases) + return 0; + /* Generate a block of unique data unless this is the duplication point */ + z = crngt_idx++; + if (z > 0 && crngt_case == z) + z--; + for (i = 0; i < CRNGT_BUFSIZ; i++) + buf[i] = (unsigned char)(i + 'A' + z); + return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL); +} + +static int test_crngt(int n) +{ + const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases; + RAND_DRBG *drbg = NULL; + unsigned char buff[100]; + size_t ent; + int res = 0; + int expect; + + if (!rand_crngt_single_init()) + return 0; + rand_crngt_cleanup(); + + if (!(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL))) + return 0; + ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ; + crngt_case = n % crngt_num_cases; + crngt_idx = 0; + crngt_get_entropy = &crngt_entropy_cb; + if (!rand_crngt_init()) + goto err; +#ifndef OPENSSL_FIPS + if (!RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy, + &rand_crngt_cleanup_entropy, + &rand_drbg_get_nonce, + &rand_drbg_cleanup_nonce)) + goto err; +#endif + expect = crngt_case == 0 || crngt_case > ent; + if (RAND_DRBG_instantiate(drbg, NULL, 0) != expect) + goto err; + if (!expect) + goto fin; + if (!RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)) + goto err; + + expect = crngt_case == 0 || crngt_case > 2 * ent; + if (RAND_DRBG_reseed(drbg, NULL, 0, 0) != expect) + goto err; + if (!expect) + goto fin; + if (!RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)) + goto err; + +fin: + res = 1; +err: +#if 0 + if (!res) + TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases, + crngt_case, crngt_idx); +#endif + uninstantiate(drbg); + RAND_DRBG_free(drbg); + crngt_get_entropy = &rand_crngt_get_entropy_cb; + return res; +} + +int FIPS_selftest_drbg(void) +{ + app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); + int i; + + for (i = 0; i < OSSL_NELEM(drbg_test); i++) { + if (!test_kats(i)) + return 0; + } + for (i = 0; i < OSSL_NELEM(drbg_test); i++) { + if (!test_error_checks(i)) + return 0; + } + +#if 0 + if (!test_rand_drbg_reseed()) + return 0; + if (!test_rand_seed()) + return 0; + if (!test_rand_add()) + return 0; +#if defined(OPENSSL_THREADS) + if (!test_multi_thread()) + return 0; +#endif + for (i = 0; i < crngt_num_cases * OSSL_NELEM(drgb_types); i++) { + if (!test_crngt(i)) + return 0; + } +#endif + return 1; +} + Index: openssl-1.1.1g/crypto/fips/drbgtest.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1g/crypto/fips/drbgtest.h 2020-05-15 16:19:01.662586731 +0200 @@ -0,0 +1,579 @@ +/* + * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Known answer tests for SP800-90 DRBG CTR mode. + */ + + +/* + * AES-128 use df PR + */ +static const unsigned char aes_128_use_df_pr_entropyinput[] = { + 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33, + 0xc8, 0xdb, 0xff, 0x12 +}; +static const unsigned char aes_128_use_df_pr_nonce[] = { + 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28 +}; +static const unsigned char aes_128_use_df_pr_personalizationstring[] = { + 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe, + 0xd7, 0xd7, 0x01, 0x67 +}; +static const unsigned char aes_128_use_df_pr_additionalinput[] = { + 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e, + 0x9a, 0x47, 0x08, 0x76 +}; +static const unsigned char aes_128_use_df_pr_entropyinputpr[] = { + 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51, + 0x09, 0xfb, 0xa3, 0xb6 +}; +static const unsigned char aes_128_use_df_pr_int_returnedbits[] = { + 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52, + 0x66, 0x1c, 0xea, 0x5b +}; +static const unsigned char aes_128_use_df_pr_additionalinput2[] = { + 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11, + 0x3f, 0x5e, 0x31, 0x06 +}; +static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = { + 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae, + 0xa7, 0xe3, 0xa8, 0x67 +}; +static const unsigned char aes_128_use_df_pr_returnedbits[] = { + 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24, + 0x0f, 0x38, 0x43, 0xc6 +}; + + +/* + * AES-128 use df no PR + */ +static const unsigned char aes_128_use_df_entropyinput[] = { + 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3, + 0x9d, 0x7d, 0x1c, 0x9b +}; +static const unsigned char aes_128_use_df_nonce[] = { + 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96, +}; +static const unsigned char aes_128_use_df_personalizationstring[] = { + 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3, + 0x38, 0x66, 0xba, 0x1b +}; +static const unsigned char aes_128_use_df_additionalinput[] = { + 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46, + 0xb5, 0xe2, 0xb2, 0x41 +}; +static const unsigned char aes_128_use_df_int_returnedbits[] = { + 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67, + 0xe7, 0x57, 0x11, 0xb4 +}; +static const unsigned char aes_128_use_df_entropyinputreseed[] = { + 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b, + 0xc7, 0xc4, 0x9e, 0x39 +}; +static const unsigned char aes_128_use_df_additionalinputreseed[] = { + 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a, + 0xc8, 0x93, 0xfa, 0x84 +}; +static const unsigned char aes_128_use_df_additionalinput2[] = { + 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5, + 0x06, 0x0c, 0x15, 0x2c +}; +static const unsigned char aes_128_use_df_returnedbits[] = { + 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88, + 0x46, 0x81, 0xc7, 0x19 +}; + + +/* + * AES-192 use df PR + */ +static const unsigned char aes_192_use_df_pr_entropyinput[] = { + 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec, + 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d +}; +static const unsigned char aes_192_use_df_pr_nonce[] = { + 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0, + 0xd1, 0x80, 0x78, 0xfa +}; +static const unsigned char aes_192_use_df_pr_personalizationstring[] = { + 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16, + 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5, + 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04 +}; +static const unsigned char aes_192_use_df_pr_additionalinput[] = { + 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac, + 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb, + 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36 +}; +static const unsigned char aes_192_use_df_pr_entropyinputpr[] = { + 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5, + 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5, +}; +static const unsigned char aes_192_use_df_pr_int_returnedbits[] = { + 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9, + 0x19, 0x30, 0x6b, 0x67 +}; +static const unsigned char aes_192_use_df_pr_additionalinput2[] = { + 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32, + 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda, + 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99 +}; +static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = { + 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0, + 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e, +}; +static const unsigned char aes_192_use_df_pr_returnedbits[] = { + 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c, + 0x7e, 0x1a, 0x2b, 0x83 +}; + + +/* + * AES-192 use df no PR + */ +static const unsigned char aes_192_use_df_entropyinput[] = { + 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82, + 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b, +}; +static const unsigned char aes_192_use_df_nonce[] = { + 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d, + 0x77, 0xd7, 0x41, 0x0e +}; +static const unsigned char aes_192_use_df_personalizationstring[] = { + 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf, + 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65, + 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70 +}; +static const unsigned char aes_192_use_df_additionalinput[] = { + 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69, + 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22, + 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7 +}; +static const unsigned char aes_192_use_df_int_returnedbits[] = { + 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6, + 0xb7, 0xed, 0xe9, 0xea +}; +static const unsigned char aes_192_use_df_entropyinputreseed[] = { + 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02, + 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01, +}; +static const unsigned char aes_192_use_df_additionalinputreseed[] = { + 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76, + 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77, + 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65 +}; +static const unsigned char aes_192_use_df_additionalinput2[] = { + 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e, + 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0, + 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77 +}; +static const unsigned char aes_192_use_df_returnedbits[] = { + 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58, + 0x1a, 0xf9, 0x13, 0x28 +}; + + +/* + * AES-256 use df PR + */ +static const unsigned char aes_256_use_df_pr_entropyinput[] = { + 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74, + 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f, + 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a +}; +static const unsigned char aes_256_use_df_pr_nonce[] = { + 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33, + 0x2b, 0x36, 0xff, 0xa4 +}; +static const unsigned char aes_256_use_df_pr_personalizationstring[] = { + 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24, + 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83, + 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d +}; +static const unsigned char aes_256_use_df_pr_additionalinput[] = { + 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0, + 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3, + 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde +}; +static const unsigned char aes_256_use_df_pr_entropyinputpr[] = { + 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77, + 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54, + 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9 +}; +static const unsigned char aes_256_use_df_pr_int_returnedbits[] = { + 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7, + 0x17, 0xab, 0x3c, 0x7a +}; +static const unsigned char aes_256_use_df_pr_additionalinput2[] = { + 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00, + 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78, + 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3 +}; +static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = { + 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73, + 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8, + 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f +}; +static const unsigned char aes_256_use_df_pr_returnedbits[] = { + 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0, + 0xd9, 0xe2, 0x97, 0x00 +}; + + +/* + * AES-256 use df no PR + */ +static const unsigned char aes_256_use_df_entropyinput[] = { + 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50, + 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68, + 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47 +}; +static const unsigned char aes_256_use_df_nonce[] = { + 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a, + 0x4c, 0x44, 0x84, 0x40 +}; +static const unsigned char aes_256_use_df_personalizationstring[] = { + 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05, + 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b, + 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2 +}; +static const unsigned char aes_256_use_df_additionalinput[] = { + 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f, + 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf, + 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46 +}; +static const unsigned char aes_256_use_df_int_returnedbits[] = { + 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1, + 0x28, 0x0c, 0x3b, 0xc1 +}; +static const unsigned char aes_256_use_df_entropyinputreseed[] = { + 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76, + 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46, + 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e +}; +static const unsigned char aes_256_use_df_additionalinputreseed[] = { + 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99, + 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75, + 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75 +}; +static const unsigned char aes_256_use_df_additionalinput2[] = { + 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d, + 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a, + 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d +}; +static const unsigned char aes_256_use_df_returnedbits[] = { + 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad, + 0xfa, 0xfd, 0x35, 0x5e +}; + + +/* + * AES-128 no df PR + */ +static const unsigned char aes_128_no_df_pr_entropyinput[] = { + 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4, + 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf, + 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a +}; +static const unsigned char aes_128_no_df_pr_nonce[] = { + 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1, +}; +static const unsigned char aes_128_no_df_pr_personalizationstring[] = { + 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c, + 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c, + 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8 +}; +static const unsigned char aes_128_no_df_pr_additionalinput[] = { + 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02, + 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73, + 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12 +}; +static const unsigned char aes_128_no_df_pr_entropyinputpr[] = { + 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a, + 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7, + 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e +}; +static const unsigned char aes_128_no_df_pr_int_returnedbits[] = { + 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71, + 0xaf, 0x19, 0x32, 0x16 +}; +static const unsigned char aes_128_no_df_pr_additionalinput2[] = { + 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f, + 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83, + 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50 +}; +static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = { + 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a, + 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07, + 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9 +}; +static const unsigned char aes_128_no_df_pr_returnedbits[] = { + 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33, + 0x57, 0x82, 0x33, 0xaf +}; + + +/* + * AES-128 no df no PR + */ +static const unsigned char aes_128_no_df_entropyinput[] = { + 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67, + 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42, + 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60 +}; +static const unsigned char aes_128_no_df_nonce[] = { + 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13, +}; +static const unsigned char aes_128_no_df_personalizationstring[] = { + 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb, + 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b, + 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce +}; +static const unsigned char aes_128_no_df_additionalinput[] = { + 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37, + 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24, + 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95 +}; +static const unsigned char aes_128_no_df_int_returnedbits[] = { + 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6, + 0xed, 0x3e, 0x65, 0xc2 +}; +static const unsigned char aes_128_no_df_entropyinputreseed[] = { + 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66, + 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1, + 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00 +}; +static const unsigned char aes_128_no_df_additionalinputreseed[] = { + 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2, + 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4, + 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4 +}; +static const unsigned char aes_128_no_df_additionalinput2[] = { + 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f, + 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac, + 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6 +}; +static const unsigned char aes_128_no_df_returnedbits[] = { + 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36, + 0x81, 0x37, 0x19, 0xd4 +}; + + +/* + * AES-192 no df PR + */ +static const unsigned char aes_192_no_df_pr_entropyinput[] = { + 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7, + 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61, + 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a, + 0x17, 0x1f, 0x8d, 0x9a +}; +static const unsigned char aes_192_no_df_pr_nonce[] = { + 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19, + 0x61, 0x5c, 0xee, 0x0f +}; +static const unsigned char aes_192_no_df_pr_personalizationstring[] = { + 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1, + 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4, + 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10, + 0x57, 0x2e, 0xe7, 0x55 +}; +static const unsigned char aes_192_no_df_pr_additionalinput[] = { + 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad, + 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85, + 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f, + 0xe2, 0xd0, 0x0c, 0x2f +}; +static const unsigned char aes_192_no_df_pr_entropyinputpr[] = { + 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94, + 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb, + 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58, + 0x1d, 0x30, 0xb3, 0x78 +}; +static const unsigned char aes_192_no_df_pr_int_returnedbits[] = { + 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40, + 0x7e, 0x3e, 0x0c, 0x26 +}; +static const unsigned char aes_192_no_df_pr_additionalinput2[] = { + 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a, + 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57, + 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee, + 0x0c, 0x4b, 0xee, 0x6e +}; +static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = { + 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0, + 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f, + 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b, + 0x8e, 0x0a, 0x83, 0xdf +}; +static const unsigned char aes_192_no_df_pr_returnedbits[] = { + 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91, + 0xb9, 0xa1, 0x21, 0x68 +}; + + +/* + * AES-192 no df no PR + */ +static const unsigned char aes_192_no_df_entropyinput[] = { + 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e, + 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe, + 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28, + 0x94, 0xc3, 0x59, 0x63 +}; +static const unsigned char aes_192_no_df_nonce[] = { + 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb, + 0x29, 0xfd, 0x45, 0x71 +}; +static const unsigned char aes_192_no_df_personalizationstring[] = { + 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08, + 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96, + 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b, + 0x3b, 0x88, 0xce, 0x35 +}; +static const unsigned char aes_192_no_df_additionalinput[] = { + 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b, + 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71, + 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3, + 0x3e, 0xbe, 0xd4, 0x8e +}; +static const unsigned char aes_192_no_df_int_returnedbits[] = { + 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a, + 0x45, 0xe7, 0x4a, 0xc5 +}; +static const unsigned char aes_192_no_df_entropyinputreseed[] = { + 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e, + 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1, + 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33, + 0x9b, 0xcb, 0x7e, 0x75 +}; +static const unsigned char aes_192_no_df_additionalinputreseed[] = { + 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01, + 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27, + 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40, + 0x5d, 0x7a, 0x25, 0x79 +}; +static const unsigned char aes_192_no_df_additionalinput2[] = { + 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71, + 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5, + 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a, + 0x91, 0x6a, 0xe3, 0x5f +}; +static const unsigned char aes_192_no_df_returnedbits[] = { + 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8, + 0x66, 0x67, 0x2c, 0x92 +}; + + +/* + * AES-256 no df PR + */ +static const unsigned char aes_256_no_df_pr_entropyinput[] = { + 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8, + 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2, + 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03, + 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c, +}; +static const unsigned char aes_256_no_df_pr_nonce[] = { + 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30, + 0xcc, 0x4b, 0xee, 0x2e +}; +static const unsigned char aes_256_no_df_pr_personalizationstring[] = { + 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7, + 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b, + 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac, + 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06, +}; +static const unsigned char aes_256_no_df_pr_additionalinput[] = { + 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40, + 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c, + 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69, + 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e, +}; +static const unsigned char aes_256_no_df_pr_entropyinputpr[] = { + 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16, + 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc, + 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9, + 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f, +}; +static const unsigned char aes_256_no_df_pr_int_returnedbits[] = { + 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56, + 0x79, 0x60, 0x93, 0xcf +}; +static const unsigned char aes_256_no_df_pr_additionalinput2[] = { + 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a, + 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35, + 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34, + 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb, +}; +static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = { + 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3, + 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa, + 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83, + 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f, +}; +static const unsigned char aes_256_no_df_pr_returnedbits[] = { + 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7, + 0x2d, 0x5f, 0x4a, 0x46 +}; + + +/* + * AES-256 no df no PR + */ +static const unsigned char aes_256_no_df_entropyinput[] = { + 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3, + 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb, + 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96, + 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3, +}; +static const unsigned char aes_256_no_df_nonce[] = { + 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99, + 0x43, 0x96, 0xb9, 0xf0 +}; +static const unsigned char aes_256_no_df_personalizationstring[] = { + 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60, + 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc, + 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f, + 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d, +}; +static const unsigned char aes_256_no_df_additionalinput[] = { + 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6, + 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9, + 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed, + 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17, +}; +static const unsigned char aes_256_no_df_int_returnedbits[] = { + 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6, + 0xd2, 0x25, 0x75, 0x0e +}; +static const unsigned char aes_256_no_df_entropyinputreseed[] = { + 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b, + 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5, + 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed, + 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb, +}; +static const unsigned char aes_256_no_df_additionalinputreseed[] = { + 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e, + 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18, + 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b, + 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29, +}; +static const unsigned char aes_256_no_df_additionalinput2[] = { + 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe, + 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42, + 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba, + 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6, +}; +static const unsigned char aes_256_no_df_returnedbits[] = { + 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67, + 0xf6, 0x02, 0x32, 0xe2 +}; Index: openssl-1.1.1g/crypto/fips/fips_post.c =================================================================== --- openssl-1.1.1g.orig/crypto/fips/fips_post.c 2020-05-15 16:18:44.030685013 +0200 +++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-05-15 16:19:01.662586731 +0200 @@ -51,7 +51,6 @@ #include #include -#include #include #include #include Index: openssl-1.1.1g/crypto/fips/build.info =================================================================== --- openssl-1.1.1g.orig/crypto/fips/build.info 2020-05-15 16:18:44.030685013 +0200 +++ openssl-1.1.1g/crypto/fips/build.info 2020-05-15 16:19:01.662586731 +0200 @@ -2,7 +2,7 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \ - fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ fips_dh_selftest.c fips_ers.c Index: openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c =================================================================== --- openssl-1.1.1g.orig/crypto/fips/fips_drbg_selftest.c 2020-05-15 16:18:44.030685013 +0200 +++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-05-15 16:19:01.666586709 +0200 @@ -774,6 +774,7 @@ int FIPS_drbg_health_check(DRBG_CTX *dct return rv; } +#if 0 int FIPS_selftest_drbg(void) { DRBG_CTX *dctx; @@ -798,6 +799,7 @@ int FIPS_selftest_drbg(void) FIPS_drbg_free(dctx); return rv; } +#endif int FIPS_selftest_drbg_all(void) { Index: openssl-1.1.1g/crypto/fips/fips.c =================================================================== --- openssl-1.1.1g.orig/crypto/fips/fips.c 2020-05-15 16:18:44.030685013 +0200 +++ openssl-1.1.1g/crypto/fips/fips.c 2020-05-15 16:19:01.666586709 +0200 @@ -50,7 +50,6 @@ #define _GNU_SOURCE #include -#include #include #include #include