Pedro Monreal Gonzalez
5cbee84ef1
- Update to 1.1.1h
* Disallow explicit curve parameters in verifications chains when X509_V_FLAG_X509_STRICT is used
* Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS contexts
- refresh openssl-fips_selftest_upstream_drbg.patch
* DRBG internals got renamed back:
reseed_gen_counter -> generate_counter
reseed_prop_counter -> reseed_counter
OBS-URL: https://build.opensuse.org/request/show/836174
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=72
1826 lines
64 KiB
Diff
1826 lines
64 KiB
Diff
Index: openssl-1.1.1g/crypto/fips/drbgtest.c
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ openssl-1.1.1g/crypto/fips/drbgtest.c 2020-05-15 16:20:15.962172616 +0200
|
|
@@ -0,0 +1,1179 @@
|
|
+/*
|
|
+ * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
+ *
|
|
+ * Licensed under the OpenSSL license (the "License"). You may not use
|
|
+ * this file except in compliance with the License. You can obtain a copy
|
|
+ * in the file LICENSE in the source distribution or at
|
|
+ * https://www.openssl.org/source/license.html
|
|
+ */
|
|
+
|
|
+#include <string.h>
|
|
+#include "internal/nelem.h"
|
|
+#include <openssl/crypto.h>
|
|
+#include <openssl/err.h>
|
|
+#include <openssl/rand.h>
|
|
+#include <openssl/obj_mac.h>
|
|
+#include <openssl/evp.h>
|
|
+#include <openssl/aes.h>
|
|
+#include "../crypto/rand/rand_local.h"
|
|
+#include "../include/crypto/rand.h"
|
|
+
|
|
+#if defined(_WIN32)
|
|
+# include <windows.h>
|
|
+#endif
|
|
+
|
|
+
|
|
+#if defined(OPENSSL_SYS_UNIX)
|
|
+# include <sys/types.h>
|
|
+# include <sys/wait.h>
|
|
+# include <unistd.h>
|
|
+#endif
|
|
+
|
|
+#include "../../test/drbgtest.h"
|
|
+
|
|
+typedef struct drbg_selftest_data_st {
|
|
+ int post;
|
|
+ int nid;
|
|
+ unsigned int flags;
|
|
+
|
|
+ /* KAT data for no PR */
|
|
+ const unsigned char *entropy;
|
|
+ size_t entropylen;
|
|
+ const unsigned char *nonce;
|
|
+ size_t noncelen;
|
|
+ const unsigned char *pers;
|
|
+ size_t perslen;
|
|
+ const unsigned char *adin;
|
|
+ size_t adinlen;
|
|
+ const unsigned char *entropyreseed;
|
|
+ size_t entropyreseedlen;
|
|
+ const unsigned char *adinreseed;
|
|
+ size_t adinreseedlen;
|
|
+ const unsigned char *adin2;
|
|
+ size_t adin2len;
|
|
+ const unsigned char *expected;
|
|
+ size_t exlen;
|
|
+ const unsigned char *kat2;
|
|
+ size_t kat2len;
|
|
+
|
|
+ /* KAT data for PR */
|
|
+ const unsigned char *entropy_pr;
|
|
+ size_t entropylen_pr;
|
|
+ const unsigned char *nonce_pr;
|
|
+ size_t noncelen_pr;
|
|
+ const unsigned char *pers_pr;
|
|
+ size_t perslen_pr;
|
|
+ const unsigned char *adin_pr;
|
|
+ size_t adinlen_pr;
|
|
+ const unsigned char *entropypr_pr;
|
|
+ size_t entropyprlen_pr;
|
|
+ const unsigned char *ading_pr;
|
|
+ size_t adinglen_pr;
|
|
+ const unsigned char *entropyg_pr;
|
|
+ size_t entropyglen_pr;
|
|
+ const unsigned char *kat_pr;
|
|
+ size_t katlen_pr;
|
|
+ const unsigned char *kat2_pr;
|
|
+ size_t kat2len_pr;
|
|
+} DRBG_SELFTEST_DATA;
|
|
+
|
|
+#define make_drbg_test_data(nid, flag, pr, post) {\
|
|
+ post, nid, flag, \
|
|
+ pr##_entropyinput, sizeof(pr##_entropyinput), \
|
|
+ pr##_nonce, sizeof(pr##_nonce), \
|
|
+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
|
|
+ pr##_additionalinput, sizeof(pr##_additionalinput), \
|
|
+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
|
|
+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
|
|
+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
|
|
+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
|
|
+ pr##_returnedbits, sizeof(pr##_returnedbits), \
|
|
+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
|
|
+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
|
|
+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
|
|
+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
|
|
+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
|
|
+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
|
|
+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
|
|
+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
|
|
+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \
|
|
+ }
|
|
+
|
|
+#define make_drbg_test_data_use_df(nid, pr, p) \
|
|
+ make_drbg_test_data(nid, 0, pr, p)
|
|
+
|
|
+#define make_drbg_test_data_no_df(nid, pr, p) \
|
|
+ make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_NO_DF, pr, p)
|
|
+
|
|
+static DRBG_SELFTEST_DATA drbg_test[] = {
|
|
+ make_drbg_test_data_no_df (NID_aes_128_ctr, aes_128_no_df, 0),
|
|
+ make_drbg_test_data_no_df (NID_aes_192_ctr, aes_192_no_df, 0),
|
|
+ make_drbg_test_data_no_df (NID_aes_256_ctr, aes_256_no_df, 1),
|
|
+ make_drbg_test_data_use_df(NID_aes_128_ctr, aes_128_use_df, 0),
|
|
+ make_drbg_test_data_use_df(NID_aes_192_ctr, aes_192_use_df, 0),
|
|
+ make_drbg_test_data_use_df(NID_aes_256_ctr, aes_256_use_df, 1),
|
|
+};
|
|
+
|
|
+static int app_data_index;
|
|
+
|
|
+/*
|
|
+ * Test context data, attached as EXDATA to the RAND_DRBG
|
|
+ */
|
|
+typedef struct test_ctx_st {
|
|
+ const unsigned char *entropy;
|
|
+ size_t entropylen;
|
|
+ int entropycnt;
|
|
+ const unsigned char *nonce;
|
|
+ size_t noncelen;
|
|
+ int noncecnt;
|
|
+} TEST_CTX;
|
|
+
|
|
+static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
|
|
+ int entropy, size_t min_len, size_t max_len,
|
|
+ int prediction_resistance)
|
|
+{
|
|
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
|
|
+
|
|
+ t->entropycnt++;
|
|
+ *pout = (unsigned char *)t->entropy;
|
|
+ return t->entropylen;
|
|
+}
|
|
+
|
|
+static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
|
|
+ int entropy, size_t min_len, size_t max_len)
|
|
+{
|
|
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
|
|
+
|
|
+ t->noncecnt++;
|
|
+ *pout = (unsigned char *)t->nonce;
|
|
+ return t->noncelen;
|
|
+}
|
|
+
|
|
+ /*
|
|
+ * Disable CRNG testing if it is enabled.
|
|
+ * If the DRBG is ready or in an error state, this means an instantiate cycle
|
|
+ * for which the default personalisation string is used.
|
|
+ */
|
|
+static int disable_crngt(RAND_DRBG *drbg)
|
|
+{
|
|
+ static const char pers[] = DRBG_DEFAULT_PERS_STRING;
|
|
+ const int instantiate = drbg->state != DRBG_UNINITIALISED;
|
|
+
|
|
+ if (drbg->get_entropy != rand_crngt_get_entropy)
|
|
+ return 1;
|
|
+
|
|
+ if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
|
|
+ || !RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
|
|
+ &rand_drbg_cleanup_entropy,
|
|
+ &rand_drbg_get_nonce,
|
|
+ &rand_drbg_cleanup_nonce)
|
|
+ || (instantiate
|
|
+ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
|
|
+ sizeof(pers) - 1)))
|
|
+ return 0;
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+static int uninstantiate(RAND_DRBG *drbg)
|
|
+{
|
|
+ int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
|
|
+
|
|
+ ERR_clear_error();
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+/*
|
|
+ * Do a single KAT test. Return 0 on failure.
|
|
+ */
|
|
+static int single_kat(DRBG_SELFTEST_DATA *td)
|
|
+{
|
|
+ RAND_DRBG *drbg = NULL;
|
|
+ TEST_CTX t;
|
|
+ int failures = 0;
|
|
+ unsigned char buff[1024];
|
|
+
|
|
+ /*
|
|
+ * Test without PR: Instantiate DRBG with test entropy, nonce and
|
|
+ * personalisation string.
|
|
+ */
|
|
+ if ((drbg = RAND_DRBG_new(td->nid, td->flags, NULL)) == NULL)
|
|
+ return 0;
|
|
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
|
+ kat_nonce, NULL)
|
|
+ || !disable_crngt(drbg)) {
|
|
+ failures++;
|
|
+ goto err;
|
|
+ }
|
|
+ memset(&t, 0, sizeof(t));
|
|
+ t.entropy = td->entropy;
|
|
+ t.entropylen = td->entropylen;
|
|
+ t.nonce = td->nonce;
|
|
+ t.noncelen = td->noncelen;
|
|
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
|
+
|
|
+ if (!RAND_DRBG_instantiate(drbg, td->pers, td->perslen)
|
|
+ || !RAND_DRBG_generate(drbg, buff, td->exlen, 0,
|
|
+ td->adin, td->adinlen)
|
|
+ || memcmp(td->expected, buff, td->exlen))
|
|
+ failures++;
|
|
+
|
|
+ /* Reseed DRBG with test entropy and additional input */
|
|
+ t.entropy = td->entropyreseed;
|
|
+ t.entropylen = td->entropyreseedlen;
|
|
+ if (!RAND_DRBG_reseed(drbg, td->adinreseed, td->adinreseedlen, 0)
|
|
+ || !RAND_DRBG_generate(drbg, buff, td->kat2len, 0,
|
|
+ td->adin2, td->adin2len)
|
|
+ || memcmp(td->kat2, buff, td->kat2len))
|
|
+ failures++;
|
|
+ uninstantiate(drbg);
|
|
+
|
|
+ /*
|
|
+ * Now test with PR: Instantiate DRBG with test entropy, nonce and
|
|
+ * personalisation string.
|
|
+ */
|
|
+ if (!RAND_DRBG_set(drbg, td->nid, td->flags)
|
|
+ || !RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
|
+ kat_nonce, NULL))
|
|
+ failures++;
|
|
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
|
+ t.entropy = td->entropy_pr;
|
|
+ t.entropylen = td->entropylen_pr;
|
|
+ t.nonce = td->nonce_pr;
|
|
+ t.noncelen = td->noncelen_pr;
|
|
+ t.entropycnt = 0;
|
|
+ t.noncecnt = 0;
|
|
+ if (!RAND_DRBG_instantiate(drbg, td->pers_pr, td->perslen_pr))
|
|
+ failures++;
|
|
+
|
|
+ /*
|
|
+ * Now generate with PR: we need to supply entropy as this will
|
|
+ * perform a reseed operation.
|
|
+ */
|
|
+ t.entropy = td->entropypr_pr;
|
|
+ t.entropylen = td->entropyprlen_pr;
|
|
+ if (!RAND_DRBG_generate(drbg, buff, td->katlen_pr, 1,
|
|
+ td->adin_pr, td->adinlen_pr)
|
|
+ || memcmp(td->kat_pr, buff, td->katlen_pr))
|
|
+ failures++;
|
|
+
|
|
+ /*
|
|
+ * Now generate again with PR: supply new entropy again.
|
|
+ */
|
|
+ t.entropy = td->entropyg_pr;
|
|
+ t.entropylen = td->entropyglen_pr;
|
|
+
|
|
+ if (!RAND_DRBG_generate(drbg, buff, td->kat2len_pr, 1,
|
|
+ td->ading_pr, td->adinglen_pr)
|
|
+ || memcmp(td->kat2_pr, buff, td->kat2len_pr))
|
|
+ failures++;
|
|
+
|
|
+err:
|
|
+ uninstantiate(drbg);
|
|
+ RAND_DRBG_free(drbg);
|
|
+ return failures == 0;
|
|
+}
|
|
+
|
|
+/*
|
|
+ * Initialise a DRBG based on selftest data
|
|
+ */
|
|
+static int init(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td, TEST_CTX *t)
|
|
+{
|
|
+ if (!RAND_DRBG_set(drbg, td->nid, td->flags)
|
|
+ || !RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
|
+ kat_nonce, NULL))
|
|
+ return 0;
|
|
+ RAND_DRBG_set_ex_data(drbg, app_data_index, t);
|
|
+ t->entropy = td->entropy;
|
|
+ t->entropylen = td->entropylen;
|
|
+ t->nonce = td->nonce;
|
|
+ t->noncelen = td->noncelen;
|
|
+ t->entropycnt = 0;
|
|
+ t->noncecnt = 0;
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+/*
|
|
+ * Initialise and instantiate DRBG based on selftest data
|
|
+ */
|
|
+static int instantiate(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td,
|
|
+ TEST_CTX *t)
|
|
+{
|
|
+ if (!init(drbg, td, t)
|
|
+ || !RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
|
|
+ return 0;
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+/*
|
|
+ * Perform extensive error checking as required by SP800-90.
|
|
+ * Induce several failure modes and check an error condition is set.
|
|
+ */
|
|
+static int error_check(DRBG_SELFTEST_DATA *td)
|
|
+{
|
|
+ static char zero[sizeof(RAND_DRBG)];
|
|
+ RAND_DRBG *drbg = NULL;
|
|
+ TEST_CTX t;
|
|
+ unsigned char buff[1024];
|
|
+ unsigned int reseed_counter_tmp;
|
|
+ int ret = 0;
|
|
+
|
|
+ if (!(drbg = RAND_DRBG_new(0, 0, NULL))
|
|
+ || !disable_crngt(drbg))
|
|
+ goto err;
|
|
+
|
|
+ /*
|
|
+ * Personalisation string tests
|
|
+ */
|
|
+
|
|
+ /* Test detection of too large personalisation string */
|
|
+ if (!init(drbg, td, &t)
|
|
+ || RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1) > 0)
|
|
+ goto err;
|
|
+
|
|
+ /*
|
|
+ * Entropy source tests
|
|
+ */
|
|
+
|
|
+ /* Test entropy source failure detection: i.e. returns no data */
|
|
+ t.entropylen = 0;
|
|
+ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0)
|
|
+ goto err;
|
|
+
|
|
+ /* Try to generate output from uninstantiated DRBG */
|
|
+ if (RAND_DRBG_generate(drbg, buff, td->exlen, 0,
|
|
+ td->adin, td->adinlen)
|
|
+ || !uninstantiate(drbg))
|
|
+ goto err;
|
|
+
|
|
+ /* Test insufficient entropy */
|
|
+ if (!init(drbg, td, &t))
|
|
+ goto err;
|
|
+ t.entropylen = drbg->min_entropylen - 1;
|
|
+ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|
|
+ || !uninstantiate(drbg))
|
|
+ goto err;
|
|
+
|
|
+ /* Test too much entropy */
|
|
+ if (!init(drbg, td, &t))
|
|
+ goto err;
|
|
+ t.entropylen = drbg->max_entropylen + 1;
|
|
+ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|
|
+ || !uninstantiate(drbg))
|
|
+ goto err;
|
|
+
|
|
+ /*
|
|
+ * Nonce tests
|
|
+ */
|
|
+
|
|
+ /* Test too small nonce */
|
|
+ if (drbg->min_noncelen) {
|
|
+ if (!init(drbg, td, &t))
|
|
+ goto err;
|
|
+ t.noncelen = drbg->min_noncelen - 1;
|
|
+ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|
|
+ || !uninstantiate(drbg))
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ /* Test too large nonce */
|
|
+ if (drbg->max_noncelen) {
|
|
+ if (!init(drbg, td, &t))
|
|
+ goto err;
|
|
+ t.noncelen = drbg->max_noncelen + 1;
|
|
+ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|
|
+ || !uninstantiate(drbg))
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ /* Instantiate with valid data, Check generation is now OK */
|
|
+ if (!instantiate(drbg, td, &t)
|
|
+ || !RAND_DRBG_generate(drbg, buff, td->exlen, 0,
|
|
+ td->adin, td->adinlen))
|
|
+ goto err;
|
|
+
|
|
+ /* Request too much data for one request */
|
|
+ if (RAND_DRBG_generate(drbg, buff, drbg->max_request + 1, 0,
|
|
+ td->adin, td->adinlen))
|
|
+ goto err;
|
|
+
|
|
+ /* Try too large additional input */
|
|
+ if (RAND_DRBG_generate(drbg, buff, td->exlen, 0,
|
|
+ td->adin, drbg->max_adinlen + 1))
|
|
+ goto err;
|
|
+
|
|
+ /*
|
|
+ * Check prediction resistance request fails if entropy source
|
|
+ * failure.
|
|
+ */
|
|
+ t.entropylen = 0;
|
|
+ if (RAND_DRBG_generate(drbg, buff, td->exlen, 1,
|
|
+ td->adin, td->adinlen)
|
|
+ || !uninstantiate(drbg))
|
|
+ goto err;
|
|
+
|
|
+ /* Instantiate again with valid data */
|
|
+ if (!instantiate(drbg, td, &t))
|
|
+ goto err;
|
|
+ reseed_counter_tmp = drbg->generate_counter;
|
|
+ drbg->generate_counter = drbg->reseed_interval;
|
|
+
|
|
+ /* Generate output and check entropy has been requested for reseed */
|
|
+ t.entropycnt = 0;
|
|
+ if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0,
|
|
+ td->adin, td->adinlen)
|
|
+ || t.entropycnt != 1
|
|
+ || drbg->generate_counter != reseed_counter_tmp + 1
|
|
+ || !uninstantiate(drbg))
|
|
+ goto err;
|
|
+
|
|
+ /*
|
|
+ * Check prediction resistance request fails if entropy source
|
|
+ * failure.
|
|
+ */
|
|
+ t.entropylen = 0;
|
|
+ if (RAND_DRBG_generate(drbg, buff, td->exlen, 1,
|
|
+ td->adin, td->adinlen)
|
|
+ || !uninstantiate(drbg))
|
|
+ goto err;
|
|
+
|
|
+ /* Test reseed counter works */
|
|
+ if (!instantiate(drbg, td, &t))
|
|
+ goto err;
|
|
+ reseed_counter_tmp = drbg->generate_counter;
|
|
+ drbg->generate_counter = drbg->reseed_interval;
|
|
+
|
|
+ /* Generate output and check entropy has been requested for reseed */
|
|
+ t.entropycnt = 0;
|
|
+ if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0,
|
|
+ td->adin, td->adinlen)
|
|
+ || t.entropycnt != 1
|
|
+ || drbg->generate_counter != reseed_counter_tmp + 1
|
|
+ || !uninstantiate(drbg))
|
|
+ goto err;
|
|
+
|
|
+ /*
|
|
+ * Explicit reseed tests
|
|
+ */
|
|
+
|
|
+ /* Test explicit reseed with too large additional input */
|
|
+ if (!instantiate(drbg, td, &t)
|
|
+ || RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0) > 0)
|
|
+ goto err;
|
|
+
|
|
+ /* Test explicit reseed with entropy source failure */
|
|
+ t.entropylen = 0;
|
|
+ if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0
|
|
+ || !uninstantiate(drbg))
|
|
+ goto err;
|
|
+
|
|
+ /* Test explicit reseed with too much entropy */
|
|
+ if (!instantiate(drbg, td, &t))
|
|
+ goto err;
|
|
+ t.entropylen = drbg->max_entropylen + 1;
|
|
+ if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0
|
|
+ || !uninstantiate(drbg))
|
|
+ goto err;
|
|
+
|
|
+ /* Test explicit reseed with too little entropy */
|
|
+ if (!instantiate(drbg, td, &t))
|
|
+ goto err;
|
|
+ t.entropylen = drbg->min_entropylen - 1;
|
|
+ if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0
|
|
+ || !uninstantiate(drbg))
|
|
+ goto err;
|
|
+
|
|
+ /* Standard says we have to check uninstantiate really zeroes */
|
|
+ /*
|
|
+ * RAND_DRBG_uninstantiate() cleanses the data via drbg_ctr_uninstantiate(),
|
|
+ * but right after that it resets drbg->data.ctr using RAND_DRBG_set(), so
|
|
+ * the following memcmp will fail.
|
|
+ */
|
|
+#if 0
|
|
+ if (memcmp(zero, &drbg->data, sizeof(drbg->data)))
|
|
+ goto err;
|
|
+#endif
|
|
+
|
|
+ ret = 1;
|
|
+
|
|
+err:
|
|
+ uninstantiate(drbg);
|
|
+ RAND_DRBG_free(drbg);
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+static int test_kats(int i)
|
|
+{
|
|
+ DRBG_SELFTEST_DATA *td = &drbg_test[i];
|
|
+ int rv = 0;
|
|
+
|
|
+ if (!single_kat(td))
|
|
+ goto err;
|
|
+ rv = 1;
|
|
+
|
|
+err:
|
|
+ return rv;
|
|
+}
|
|
+
|
|
+static int test_error_checks(int i)
|
|
+{
|
|
+ DRBG_SELFTEST_DATA *td = &drbg_test[i];
|
|
+ int rv = 0;
|
|
+
|
|
+ if (!error_check(td))
|
|
+ goto err;
|
|
+ rv = 1;
|
|
+
|
|
+err:
|
|
+ return rv;
|
|
+}
|
|
+
|
|
+/*
|
|
+ * Hook context data, attached as EXDATA to the RAND_DRBG
|
|
+ */
|
|
+typedef struct hook_ctx_st {
|
|
+ RAND_DRBG *drbg;
|
|
+ /*
|
|
+ * Currently, all DRBGs use the same get_entropy() callback.
|
|
+ * The tests however, don't assume this and store
|
|
+ * the original callback for every DRBG separately.
|
|
+ */
|
|
+ RAND_DRBG_get_entropy_fn get_entropy;
|
|
+ /* forces a failure of the get_entropy() call if nonzero */
|
|
+ int fail;
|
|
+ /* counts successful reseeds */
|
|
+ int reseed_count;
|
|
+} HOOK_CTX;
|
|
+
|
|
+static HOOK_CTX master_ctx, public_ctx, private_ctx;
|
|
+
|
|
+static HOOK_CTX *get_hook_ctx(RAND_DRBG *drbg)
|
|
+{
|
|
+ return (HOOK_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
|
|
+}
|
|
+
|
|
+/* Intercepts and counts calls to the get_entropy() callback */
|
|
+static size_t get_entropy_hook(RAND_DRBG *drbg, unsigned char **pout,
|
|
+ int entropy, size_t min_len, size_t max_len,
|
|
+ int prediction_resistance)
|
|
+{
|
|
+ size_t ret;
|
|
+ HOOK_CTX *ctx = get_hook_ctx(drbg);
|
|
+
|
|
+ if (ctx->fail != 0)
|
|
+ return 0;
|
|
+
|
|
+ ret = ctx->get_entropy(drbg, pout, entropy, min_len, max_len,
|
|
+ prediction_resistance);
|
|
+
|
|
+ if (ret != 0)
|
|
+ ctx->reseed_count++;
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+/* Installs a hook for the get_entropy() callback of the given drbg */
|
|
+static void hook_drbg(RAND_DRBG *drbg, HOOK_CTX *ctx)
|
|
+{
|
|
+ memset(ctx, 0, sizeof(*ctx));
|
|
+ ctx->drbg = drbg;
|
|
+ ctx->get_entropy = drbg->get_entropy;
|
|
+ drbg->get_entropy = get_entropy_hook;
|
|
+ RAND_DRBG_set_ex_data(drbg, app_data_index, ctx);
|
|
+}
|
|
+
|
|
+/* Installs the hook for the get_entropy() callback of the given drbg */
|
|
+static void unhook_drbg(RAND_DRBG *drbg)
|
|
+{
|
|
+ HOOK_CTX *ctx = get_hook_ctx(drbg);
|
|
+
|
|
+ drbg->get_entropy = ctx->get_entropy;
|
|
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data);
|
|
+}
|
|
+
|
|
+/* Resets the given hook context */
|
|
+static void reset_hook_ctx(HOOK_CTX *ctx)
|
|
+{
|
|
+ ctx->fail = 0;
|
|
+ ctx->reseed_count = 0;
|
|
+}
|
|
+
|
|
+/* Resets all drbg hook contexts */
|
|
+static void reset_drbg_hook_ctx(void)
|
|
+{
|
|
+ reset_hook_ctx(&master_ctx);
|
|
+ reset_hook_ctx(&public_ctx);
|
|
+ reset_hook_ctx(&private_ctx);
|
|
+}
|
|
+
|
|
+/*
|
|
+ * Generates random output using RAND_bytes() and RAND_priv_bytes()
|
|
+ * and checks whether the three shared DRBGs were reseeded as
|
|
+ * expected.
|
|
+ *
|
|
+ * |expect_success|: expected outcome (as reported by RAND_status())
|
|
+ * |master|, |public|, |private|: pointers to the three shared DRBGs
|
|
+ * |expect_xxx_reseed| =
|
|
+ * 1: it is expected that the specified DRBG is reseeded
|
|
+ * 0: it is expected that the specified DRBG is not reseeded
|
|
+ * -1: don't check whether the specified DRBG was reseeded or not
|
|
+ * |reseed_time|: if nonzero, used instead of time(NULL) to set the
|
|
+ * |before_reseed| time.
|
|
+ */
|
|
+static int test_drbg_reseed(int expect_success,
|
|
+ RAND_DRBG *master,
|
|
+ RAND_DRBG *public,
|
|
+ RAND_DRBG *private,
|
|
+ int expect_master_reseed,
|
|
+ int expect_public_reseed,
|
|
+ int expect_private_reseed,
|
|
+ time_t reseed_time
|
|
+ )
|
|
+{
|
|
+ unsigned char buf[32];
|
|
+ time_t before_reseed, after_reseed;
|
|
+ int expected_state = (expect_success ? DRBG_READY : DRBG_ERROR);
|
|
+
|
|
+ /*
|
|
+ * step 1: check preconditions
|
|
+ */
|
|
+
|
|
+ /* Test whether seed propagation is enabled */
|
|
+ if (master->reseed_counter == 0
|
|
+ || public->reseed_counter == 0
|
|
+ || private->reseed_counter == 0)
|
|
+ return 0;
|
|
+
|
|
+ /* Check whether the master DRBG's reseed counter is the largest one */
|
|
+ if (public->reseed_counter > master->reseed_counter
|
|
+ || private->reseed_counter > master->reseed_counter)
|
|
+ return 0;
|
|
+
|
|
+ /*
|
|
+ * step 2: generate random output
|
|
+ */
|
|
+
|
|
+ if (reseed_time == 0)
|
|
+ reseed_time = time(NULL);
|
|
+
|
|
+ /* Generate random output from the public and private DRBG */
|
|
+ before_reseed = expect_master_reseed == 1 ? reseed_time : 0;
|
|
+ if (RAND_bytes(buf, sizeof(buf)) != expect_success
|
|
+ || RAND_priv_bytes(buf, sizeof(buf)) != expect_success)
|
|
+ return 0;
|
|
+ after_reseed = time(NULL);
|
|
+
|
|
+
|
|
+ /*
|
|
+ * step 3: check postconditions
|
|
+ */
|
|
+
|
|
+ /* Test whether reseeding succeeded as expected */
|
|
+ if (master->state != expected_state
|
|
+ || public->state != expected_state
|
|
+ || private->state != expected_state)
|
|
+ return 0;
|
|
+
|
|
+ if (expect_master_reseed >= 0) {
|
|
+ /* Test whether master DRBG was reseeded as expected */
|
|
+ if (master_ctx.reseed_count != expect_master_reseed)
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ if (expect_public_reseed >= 0) {
|
|
+ /* Test whether public DRBG was reseeded as expected */
|
|
+ if (public_ctx.reseed_count != expect_public_reseed)
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ if (expect_private_reseed >= 0) {
|
|
+ /* Test whether public DRBG was reseeded as expected */
|
|
+ if (private_ctx.reseed_count != expect_private_reseed)
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ if (expect_success == 1) {
|
|
+ /* Test whether all three reseed counters are synchronized */
|
|
+ if (public->reseed_counter != master->reseed_counter
|
|
+ || private->reseed_counter != master->reseed_counter)
|
|
+ return 0;
|
|
+
|
|
+ /* Test whether reseed time of master DRBG is set correctly */
|
|
+ if (before_reseed > master->reseed_time
|
|
+ || master->reseed_time > after_reseed)
|
|
+ return 0;
|
|
+
|
|
+ /* Test whether reseed times of child DRBGs are synchronized with master */
|
|
+ if (public->reseed_time < master->reseed_time
|
|
+ || private->reseed_time < master->reseed_time)
|
|
+ return 0;
|
|
+ } else {
|
|
+ ERR_clear_error();
|
|
+ }
|
|
+
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+
|
|
+#if defined(OPENSSL_SYS_UNIX)
|
|
+/*
|
|
+ * Test whether master, public and private DRBG are reseeded after
|
|
+ * forking the process.
|
|
+ */
|
|
+static int test_drbg_reseed_after_fork(RAND_DRBG *master,
|
|
+ RAND_DRBG *public,
|
|
+ RAND_DRBG *private)
|
|
+{
|
|
+ pid_t pid;
|
|
+ int status=0;
|
|
+
|
|
+ pid = fork();
|
|
+ if (pid < 0)
|
|
+ return 0;
|
|
+
|
|
+ if (pid > 0) {
|
|
+ /* I'm the parent; wait for the child and check its exit code */
|
|
+ return (waitpid(pid, &status, 0) == pid) && status == 0;
|
|
+ }
|
|
+
|
|
+ /* I'm the child; check whether all three DRBGs reseed. */
|
|
+ if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, 0))
|
|
+ status = 1;
|
|
+
|
|
+ /* Remove hooks */
|
|
+ unhook_drbg(master);
|
|
+ unhook_drbg(public);
|
|
+ unhook_drbg(private);
|
|
+ exit(status);
|
|
+}
|
|
+#endif
|
|
+
|
|
+/*
|
|
+ * Test whether the default rand_method (RAND_OpenSSL()) is
|
|
+ * setup correctly, in particular whether reseeding works
|
|
+ * as designed.
|
|
+ */
|
|
+static int test_rand_drbg_reseed(void)
|
|
+{
|
|
+ RAND_DRBG *master, *public, *private;
|
|
+ unsigned char rand_add_buf[256];
|
|
+ int rv=0;
|
|
+ time_t before_reseed;
|
|
+
|
|
+ /* Check whether RAND_OpenSSL() is the default method */
|
|
+ if (RAND_get_rand_method() != RAND_OpenSSL())
|
|
+ return 0;
|
|
+
|
|
+ /* All three DRBGs should be non-null */
|
|
+ if (!(master = RAND_DRBG_get0_master())
|
|
+ || !(public = RAND_DRBG_get0_public())
|
|
+ || !(private = RAND_DRBG_get0_private()))
|
|
+ return 0;
|
|
+
|
|
+ /* There should be three distinct DRBGs, two of them chained to master */
|
|
+ if (public == private
|
|
+ || public == master
|
|
+ || private == master
|
|
+ || public->parent != master
|
|
+ || private->parent != master)
|
|
+ return 0;
|
|
+
|
|
+ /* Disable CRNG testing for the master DRBG */
|
|
+ if (!disable_crngt(master))
|
|
+ return 0;
|
|
+
|
|
+ /* uninstantiate the three global DRBGs */
|
|
+ RAND_DRBG_uninstantiate(private);
|
|
+ RAND_DRBG_uninstantiate(public);
|
|
+ RAND_DRBG_uninstantiate(master);
|
|
+
|
|
+
|
|
+ /* Install hooks for the following tests */
|
|
+ hook_drbg(master, &master_ctx);
|
|
+ hook_drbg(public, &public_ctx);
|
|
+ hook_drbg(private, &private_ctx);
|
|
+
|
|
+
|
|
+ /*
|
|
+ * Test initial seeding of shared DRBGs
|
|
+ */
|
|
+ if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, 0))
|
|
+ goto error;
|
|
+ reset_drbg_hook_ctx();
|
|
+
|
|
+
|
|
+ /*
|
|
+ * Test initial state of shared DRBGs
|
|
+ */
|
|
+ if (!test_drbg_reseed(1, master, public, private, 0, 0, 0, 0))
|
|
+ goto error;
|
|
+ reset_drbg_hook_ctx();
|
|
+
|
|
+ /*
|
|
+ * Test whether the public and private DRBG are both reseeded when their
|
|
+ * reseed counters differ from the master's reseed counter.
|
|
+ */
|
|
+ master->reseed_counter++;
|
|
+ if (!test_drbg_reseed(1, master, public, private, 0, 1, 1, 0))
|
|
+ goto error;
|
|
+ reset_drbg_hook_ctx();
|
|
+
|
|
+ /*
|
|
+ * Test whether the public DRBG is reseeded when its reseed counter differs
|
|
+ * from the master's reseed counter.
|
|
+ */
|
|
+ master->reseed_counter++;
|
|
+ private->reseed_counter++;
|
|
+ if (!test_drbg_reseed(1, master, public, private, 0, 1, 0, 0))
|
|
+ goto error;
|
|
+ reset_drbg_hook_ctx();
|
|
+
|
|
+ /*
|
|
+ * Test whether the private DRBG is reseeded when its reseed counter differs
|
|
+ * from the master's reseed counter.
|
|
+ */
|
|
+ master->reseed_counter++;
|
|
+ public->reseed_counter++;
|
|
+ if (!test_drbg_reseed(1, master, public, private, 0, 0, 1, 0))
|
|
+ goto error;
|
|
+ reset_drbg_hook_ctx();
|
|
+
|
|
+#if defined(OPENSSL_SYS_UNIX)
|
|
+ if (!test_drbg_reseed_after_fork(master, public, private))
|
|
+ goto error;
|
|
+#endif
|
|
+
|
|
+ /* fill 'randomness' buffer with some arbitrary data */
|
|
+ memset(rand_add_buf, 'r', sizeof(rand_add_buf));
|
|
+
|
|
+ /*
|
|
+ * Test whether all three DRBGs are reseeded by RAND_add().
|
|
+ * The before_reseed time has to be measured here and passed into the
|
|
+ * test_drbg_reseed() test, because the master DRBG gets already reseeded
|
|
+ * in RAND_add(), whence the check for the condition
|
|
+ * before_reseed <= master->reseed_time will fail if the time value happens
|
|
+ * to increase between the RAND_add() and the test_drbg_reseed() call.
|
|
+ */
|
|
+ before_reseed = time(NULL);
|
|
+ RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
|
|
+ if (!test_drbg_reseed(1, master, public, private, 1, 1, 1,
|
|
+ before_reseed))
|
|
+ goto error;
|
|
+ reset_drbg_hook_ctx();
|
|
+
|
|
+
|
|
+ /*
|
|
+ * Test whether none of the DRBGs is reseed if the master fails to reseed
|
|
+ */
|
|
+ master_ctx.fail = 1;
|
|
+ master->reseed_counter++;
|
|
+ RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
|
|
+ if (!test_drbg_reseed(0, master, public, private, 0, 0, 0, 0))
|
|
+ goto error;
|
|
+ reset_drbg_hook_ctx();
|
|
+
|
|
+ rv = 1;
|
|
+
|
|
+error:
|
|
+ /* Remove hooks */
|
|
+ unhook_drbg(master);
|
|
+ unhook_drbg(public);
|
|
+ unhook_drbg(private);
|
|
+
|
|
+ return rv;
|
|
+}
|
|
+
|
|
+#if defined(OPENSSL_THREADS)
|
|
+static int multi_thread_rand_bytes_succeeded = 1;
|
|
+static int multi_thread_rand_priv_bytes_succeeded = 1;
|
|
+
|
|
+static void run_multi_thread_test(void)
|
|
+{
|
|
+ unsigned char buf[256];
|
|
+ time_t start = time(NULL);
|
|
+ RAND_DRBG *public = NULL, *private = NULL;
|
|
+
|
|
+ if (!(public = RAND_DRBG_get0_public())
|
|
+ || !(private = RAND_DRBG_get0_private())) {
|
|
+ multi_thread_rand_bytes_succeeded = 0;
|
|
+ return;
|
|
+ }
|
|
+ RAND_DRBG_set_reseed_time_interval(private, 1);
|
|
+ RAND_DRBG_set_reseed_time_interval(public, 1);
|
|
+
|
|
+ do {
|
|
+ if (RAND_bytes(buf, sizeof(buf)) <= 0)
|
|
+ multi_thread_rand_bytes_succeeded = 0;
|
|
+ if (RAND_priv_bytes(buf, sizeof(buf)) <= 0)
|
|
+ multi_thread_rand_priv_bytes_succeeded = 0;
|
|
+ }
|
|
+ while(time(NULL) - start < 5);
|
|
+}
|
|
+
|
|
+# if defined(OPENSSL_SYS_WINDOWS)
|
|
+
|
|
+typedef HANDLE thread_t;
|
|
+
|
|
+static DWORD WINAPI thread_run(LPVOID arg)
|
|
+{
|
|
+ run_multi_thread_test();
|
|
+ /*
|
|
+ * Because we're linking with a static library, we must stop each
|
|
+ * thread explicitly, or so says OPENSSL_thread_stop(3)
|
|
+ */
|
|
+ OPENSSL_thread_stop();
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int run_thread(thread_t *t)
|
|
+{
|
|
+ *t = CreateThread(NULL, 0, thread_run, NULL, 0, NULL);
|
|
+ return *t != NULL;
|
|
+}
|
|
+
|
|
+static int wait_for_thread(thread_t thread)
|
|
+{
|
|
+ return WaitForSingleObject(thread, INFINITE) == 0;
|
|
+}
|
|
+
|
|
+# else
|
|
+
|
|
+typedef pthread_t thread_t;
|
|
+
|
|
+static void *thread_run(void *arg)
|
|
+{
|
|
+ run_multi_thread_test();
|
|
+ /*
|
|
+ * Because we're linking with a static library, we must stop each
|
|
+ * thread explicitly, or so says OPENSSL_thread_stop(3)
|
|
+ */
|
|
+ OPENSSL_thread_stop();
|
|
+ return NULL;
|
|
+}
|
|
+
|
|
+static int run_thread(thread_t *t)
|
|
+{
|
|
+ return pthread_create(t, NULL, thread_run, NULL) == 0;
|
|
+}
|
|
+
|
|
+static int wait_for_thread(thread_t thread)
|
|
+{
|
|
+ return pthread_join(thread, NULL) == 0;
|
|
+}
|
|
+
|
|
+# endif
|
|
+
|
|
+/*
|
|
+ * The main thread will also run the test, so we'll have THREADS+1 parallel
|
|
+ * tests running
|
|
+ */
|
|
+# define THREADS 3
|
|
+
|
|
+static int test_multi_thread(void)
|
|
+{
|
|
+ thread_t t[THREADS];
|
|
+ int i;
|
|
+
|
|
+ for (i = 0; i < THREADS; i++)
|
|
+ run_thread(&t[i]);
|
|
+ run_multi_thread_test();
|
|
+ for (i = 0; i < THREADS; i++)
|
|
+ wait_for_thread(t[i]);
|
|
+
|
|
+ if (!multi_thread_rand_bytes_succeeded)
|
|
+ return 0;
|
|
+ if (!multi_thread_rand_priv_bytes_succeeded)
|
|
+ return 0;
|
|
+
|
|
+ return 1;
|
|
+}
|
|
+#endif
|
|
+
|
|
+/*
|
|
+ * Test that instantiation with RAND_seed() works as expected
|
|
+ *
|
|
+ * If no os entropy source is available then RAND_seed(buffer, bufsize)
|
|
+ * is expected to succeed if and only if the buffer length is at least
|
|
+ * rand_drbg_seedlen(master) bytes.
|
|
+ *
|
|
+ * If an os entropy source is available then RAND_seed(buffer, bufsize)
|
|
+ * is expected to succeed always.
|
|
+ */
|
|
+static int test_rand_seed(void)
|
|
+{
|
|
+ RAND_DRBG *master = NULL;
|
|
+ unsigned char rand_buf[256];
|
|
+ size_t rand_buflen;
|
|
+ size_t required_seed_buflen = 0;
|
|
+
|
|
+ if (!(master = RAND_DRBG_get0_master())
|
|
+ || !disable_crngt(master))
|
|
+ return 0;
|
|
+
|
|
+#ifdef OPENSSL_RAND_SEED_NONE
|
|
+ required_seed_buflen = rand_drbg_seedlen(master);
|
|
+#endif
|
|
+
|
|
+ memset(rand_buf, 0xCD, sizeof(rand_buf));
|
|
+
|
|
+ for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) {
|
|
+ RAND_DRBG_uninstantiate(master);
|
|
+ RAND_seed(rand_buf, rand_buflen);
|
|
+
|
|
+ if (RAND_status() != (rand_buflen >= required_seed_buflen))
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+/*
|
|
+ * Test that adding additional data with RAND_add() works as expected
|
|
+ * when the master DRBG is instantiated (and below its reseed limit).
|
|
+ *
|
|
+ * This should succeed regardless of whether an os entropy source is
|
|
+ * available or not.
|
|
+ */
|
|
+static int test_rand_add(void)
|
|
+{
|
|
+ unsigned char rand_buf[256];
|
|
+ size_t rand_buflen;
|
|
+
|
|
+ memset(rand_buf, 0xCD, sizeof(rand_buf));
|
|
+
|
|
+ /* make sure it's instantiated */
|
|
+ RAND_seed(rand_buf, sizeof(rand_buf));
|
|
+ if (!RAND_status())
|
|
+ return 0;
|
|
+
|
|
+ for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) {
|
|
+ RAND_add(rand_buf, rand_buflen, 0.0);
|
|
+ if (!RAND_status())
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+/*
|
|
+ * A list of the FIPS DRGB types.
|
|
+ */
|
|
+static const struct s_drgb_types {
|
|
+ int nid;
|
|
+ int flags;
|
|
+} drgb_types[] = {
|
|
+ { NID_aes_128_ctr, 0 },
|
|
+ { NID_aes_192_ctr, 0 },
|
|
+ { NID_aes_256_ctr, 0 },
|
|
+};
|
|
+
|
|
+/* Six cases for each covers seed sizes up to 32 bytes */
|
|
+static const size_t crngt_num_cases = 6;
|
|
+
|
|
+static size_t crngt_case, crngt_idx;
|
|
+
|
|
+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
|
|
+ unsigned int *md_size)
|
|
+{
|
|
+ size_t i, z;
|
|
+
|
|
+ if (crngt_idx >= crngt_num_cases)
|
|
+ return 0;
|
|
+ /* Generate a block of unique data unless this is the duplication point */
|
|
+ z = crngt_idx++;
|
|
+ if (z > 0 && crngt_case == z)
|
|
+ z--;
|
|
+ for (i = 0; i < CRNGT_BUFSIZ; i++)
|
|
+ buf[i] = (unsigned char)(i + 'A' + z);
|
|
+ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
|
|
+}
|
|
+
|
|
+static int test_crngt(int n)
|
|
+{
|
|
+ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
|
|
+ RAND_DRBG *drbg = NULL;
|
|
+ unsigned char buff[100];
|
|
+ size_t ent;
|
|
+ int res = 0;
|
|
+ int expect;
|
|
+
|
|
+ if (!rand_crngt_single_init())
|
|
+ return 0;
|
|
+ rand_crngt_cleanup();
|
|
+
|
|
+ if (!(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
|
|
+ return 0;
|
|
+ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
|
|
+ crngt_case = n % crngt_num_cases;
|
|
+ crngt_idx = 0;
|
|
+ crngt_get_entropy = &crngt_entropy_cb;
|
|
+ if (!rand_crngt_init())
|
|
+ goto err;
|
|
+#ifndef OPENSSL_FIPS
|
|
+ if (!RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
|
|
+ &rand_crngt_cleanup_entropy,
|
|
+ &rand_drbg_get_nonce,
|
|
+ &rand_drbg_cleanup_nonce))
|
|
+ goto err;
|
|
+#endif
|
|
+ expect = crngt_case == 0 || crngt_case > ent;
|
|
+ if (RAND_DRBG_instantiate(drbg, NULL, 0) != expect)
|
|
+ goto err;
|
|
+ if (!expect)
|
|
+ goto fin;
|
|
+ if (!RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))
|
|
+ goto err;
|
|
+
|
|
+ expect = crngt_case == 0 || crngt_case > 2 * ent;
|
|
+ if (RAND_DRBG_reseed(drbg, NULL, 0, 0) != expect)
|
|
+ goto err;
|
|
+ if (!expect)
|
|
+ goto fin;
|
|
+ if (!RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))
|
|
+ goto err;
|
|
+
|
|
+fin:
|
|
+ res = 1;
|
|
+err:
|
|
+#if 0
|
|
+ if (!res)
|
|
+ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
|
|
+ crngt_case, crngt_idx);
|
|
+#endif
|
|
+ uninstantiate(drbg);
|
|
+ RAND_DRBG_free(drbg);
|
|
+ crngt_get_entropy = &rand_crngt_get_entropy_cb;
|
|
+ return res;
|
|
+}
|
|
+
|
|
+int FIPS_selftest_drbg(void)
|
|
+{
|
|
+ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
|
|
+ int i;
|
|
+
|
|
+ for (i = 0; i < OSSL_NELEM(drbg_test); i++) {
|
|
+ if (!test_kats(i))
|
|
+ return 0;
|
|
+ }
|
|
+ for (i = 0; i < OSSL_NELEM(drbg_test); i++) {
|
|
+ if (!test_error_checks(i))
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+#if 0
|
|
+ if (!test_rand_drbg_reseed())
|
|
+ return 0;
|
|
+ if (!test_rand_seed())
|
|
+ return 0;
|
|
+ if (!test_rand_add())
|
|
+ return 0;
|
|
+#if defined(OPENSSL_THREADS)
|
|
+ if (!test_multi_thread())
|
|
+ return 0;
|
|
+#endif
|
|
+ for (i = 0; i < crngt_num_cases * OSSL_NELEM(drgb_types); i++) {
|
|
+ if (!test_crngt(i))
|
|
+ return 0;
|
|
+ }
|
|
+#endif
|
|
+ return 1;
|
|
+}
|
|
+
|
|
Index: openssl-1.1.1g/crypto/fips/drbgtest.h
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ openssl-1.1.1g/crypto/fips/drbgtest.h 2020-05-15 16:19:01.662586731 +0200
|
|
@@ -0,0 +1,579 @@
|
|
+/*
|
|
+ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
|
|
+ *
|
|
+ * Licensed under the OpenSSL license (the "License"). You may not use
|
|
+ * this file except in compliance with the License. You can obtain a copy
|
|
+ * in the file LICENSE in the source distribution or at
|
|
+ * https://www.openssl.org/source/license.html
|
|
+ */
|
|
+
|
|
+/*
|
|
+ * Known answer tests for SP800-90 DRBG CTR mode.
|
|
+ */
|
|
+
|
|
+
|
|
+/*
|
|
+ * AES-128 use df PR
|
|
+ */
|
|
+static const unsigned char aes_128_use_df_pr_entropyinput[] = {
|
|
+ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
|
|
+ 0xc8, 0xdb, 0xff, 0x12
|
|
+};
|
|
+static const unsigned char aes_128_use_df_pr_nonce[] = {
|
|
+ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
|
|
+};
|
|
+static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
|
|
+ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
|
|
+ 0xd7, 0xd7, 0x01, 0x67
|
|
+};
|
|
+static const unsigned char aes_128_use_df_pr_additionalinput[] = {
|
|
+ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
|
|
+ 0x9a, 0x47, 0x08, 0x76
|
|
+};
|
|
+static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
|
|
+ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
|
|
+ 0x09, 0xfb, 0xa3, 0xb6
|
|
+};
|
|
+static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
|
|
+ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
|
|
+ 0x66, 0x1c, 0xea, 0x5b
|
|
+};
|
|
+static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
|
|
+ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
|
|
+ 0x3f, 0x5e, 0x31, 0x06
|
|
+};
|
|
+static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
|
|
+ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
|
|
+ 0xa7, 0xe3, 0xa8, 0x67
|
|
+};
|
|
+static const unsigned char aes_128_use_df_pr_returnedbits[] = {
|
|
+ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
|
|
+ 0x0f, 0x38, 0x43, 0xc6
|
|
+};
|
|
+
|
|
+
|
|
+/*
|
|
+ * AES-128 use df no PR
|
|
+ */
|
|
+static const unsigned char aes_128_use_df_entropyinput[] = {
|
|
+ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
|
|
+ 0x9d, 0x7d, 0x1c, 0x9b
|
|
+};
|
|
+static const unsigned char aes_128_use_df_nonce[] = {
|
|
+ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96,
|
|
+};
|
|
+static const unsigned char aes_128_use_df_personalizationstring[] = {
|
|
+ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
|
|
+ 0x38, 0x66, 0xba, 0x1b
|
|
+};
|
|
+static const unsigned char aes_128_use_df_additionalinput[] = {
|
|
+ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
|
|
+ 0xb5, 0xe2, 0xb2, 0x41
|
|
+};
|
|
+static const unsigned char aes_128_use_df_int_returnedbits[] = {
|
|
+ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
|
|
+ 0xe7, 0x57, 0x11, 0xb4
|
|
+};
|
|
+static const unsigned char aes_128_use_df_entropyinputreseed[] = {
|
|
+ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
|
|
+ 0xc7, 0xc4, 0x9e, 0x39
|
|
+};
|
|
+static const unsigned char aes_128_use_df_additionalinputreseed[] = {
|
|
+ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
|
|
+ 0xc8, 0x93, 0xfa, 0x84
|
|
+};
|
|
+static const unsigned char aes_128_use_df_additionalinput2[] = {
|
|
+ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
|
|
+ 0x06, 0x0c, 0x15, 0x2c
|
|
+};
|
|
+static const unsigned char aes_128_use_df_returnedbits[] = {
|
|
+ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
|
|
+ 0x46, 0x81, 0xc7, 0x19
|
|
+};
|
|
+
|
|
+
|
|
+/*
|
|
+ * AES-192 use df PR
|
|
+ */
|
|
+static const unsigned char aes_192_use_df_pr_entropyinput[] = {
|
|
+ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
|
|
+ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
|
|
+};
|
|
+static const unsigned char aes_192_use_df_pr_nonce[] = {
|
|
+ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
|
|
+ 0xd1, 0x80, 0x78, 0xfa
|
|
+};
|
|
+static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
|
|
+ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
|
|
+ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
|
|
+ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
|
|
+};
|
|
+static const unsigned char aes_192_use_df_pr_additionalinput[] = {
|
|
+ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
|
|
+ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
|
|
+ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
|
|
+};
|
|
+static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
|
|
+ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
|
|
+ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5,
|
|
+};
|
|
+static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
|
|
+ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
|
|
+ 0x19, 0x30, 0x6b, 0x67
|
|
+};
|
|
+static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
|
|
+ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
|
|
+ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
|
|
+ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
|
|
+};
|
|
+static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
|
|
+ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
|
|
+ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e,
|
|
+};
|
|
+static const unsigned char aes_192_use_df_pr_returnedbits[] = {
|
|
+ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
|
|
+ 0x7e, 0x1a, 0x2b, 0x83
|
|
+};
|
|
+
|
|
+
|
|
+/*
|
|
+ * AES-192 use df no PR
|
|
+ */
|
|
+static const unsigned char aes_192_use_df_entropyinput[] = {
|
|
+ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
|
|
+ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b,
|
|
+};
|
|
+static const unsigned char aes_192_use_df_nonce[] = {
|
|
+ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
|
|
+ 0x77, 0xd7, 0x41, 0x0e
|
|
+};
|
|
+static const unsigned char aes_192_use_df_personalizationstring[] = {
|
|
+ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
|
|
+ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
|
|
+ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
|
|
+};
|
|
+static const unsigned char aes_192_use_df_additionalinput[] = {
|
|
+ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
|
|
+ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
|
|
+ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
|
|
+};
|
|
+static const unsigned char aes_192_use_df_int_returnedbits[] = {
|
|
+ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
|
|
+ 0xb7, 0xed, 0xe9, 0xea
|
|
+};
|
|
+static const unsigned char aes_192_use_df_entropyinputreseed[] = {
|
|
+ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
|
|
+ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01,
|
|
+};
|
|
+static const unsigned char aes_192_use_df_additionalinputreseed[] = {
|
|
+ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
|
|
+ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
|
|
+ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
|
|
+};
|
|
+static const unsigned char aes_192_use_df_additionalinput2[] = {
|
|
+ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
|
|
+ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
|
|
+ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
|
|
+};
|
|
+static const unsigned char aes_192_use_df_returnedbits[] = {
|
|
+ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
|
|
+ 0x1a, 0xf9, 0x13, 0x28
|
|
+};
|
|
+
|
|
+
|
|
+/*
|
|
+ * AES-256 use df PR
|
|
+ */
|
|
+static const unsigned char aes_256_use_df_pr_entropyinput[] = {
|
|
+ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
|
|
+ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
|
|
+ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
|
|
+};
|
|
+static const unsigned char aes_256_use_df_pr_nonce[] = {
|
|
+ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
|
|
+ 0x2b, 0x36, 0xff, 0xa4
|
|
+};
|
|
+static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
|
|
+ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
|
|
+ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
|
|
+ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
|
|
+};
|
|
+static const unsigned char aes_256_use_df_pr_additionalinput[] = {
|
|
+ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
|
|
+ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
|
|
+ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
|
|
+};
|
|
+static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
|
|
+ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
|
|
+ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
|
|
+ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
|
|
+};
|
|
+static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
|
|
+ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
|
|
+ 0x17, 0xab, 0x3c, 0x7a
|
|
+};
|
|
+static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
|
|
+ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
|
|
+ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
|
|
+ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
|
|
+};
|
|
+static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
|
|
+ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
|
|
+ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
|
|
+ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
|
|
+};
|
|
+static const unsigned char aes_256_use_df_pr_returnedbits[] = {
|
|
+ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
|
|
+ 0xd9, 0xe2, 0x97, 0x00
|
|
+};
|
|
+
|
|
+
|
|
+/*
|
|
+ * AES-256 use df no PR
|
|
+ */
|
|
+static const unsigned char aes_256_use_df_entropyinput[] = {
|
|
+ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
|
|
+ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
|
|
+ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
|
|
+};
|
|
+static const unsigned char aes_256_use_df_nonce[] = {
|
|
+ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
|
|
+ 0x4c, 0x44, 0x84, 0x40
|
|
+};
|
|
+static const unsigned char aes_256_use_df_personalizationstring[] = {
|
|
+ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
|
|
+ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
|
|
+ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
|
|
+};
|
|
+static const unsigned char aes_256_use_df_additionalinput[] = {
|
|
+ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
|
|
+ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
|
|
+ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
|
|
+};
|
|
+static const unsigned char aes_256_use_df_int_returnedbits[] = {
|
|
+ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
|
|
+ 0x28, 0x0c, 0x3b, 0xc1
|
|
+};
|
|
+static const unsigned char aes_256_use_df_entropyinputreseed[] = {
|
|
+ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
|
|
+ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
|
|
+ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
|
|
+};
|
|
+static const unsigned char aes_256_use_df_additionalinputreseed[] = {
|
|
+ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
|
|
+ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
|
|
+ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
|
|
+};
|
|
+static const unsigned char aes_256_use_df_additionalinput2[] = {
|
|
+ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
|
|
+ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
|
|
+ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
|
|
+};
|
|
+static const unsigned char aes_256_use_df_returnedbits[] = {
|
|
+ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
|
|
+ 0xfa, 0xfd, 0x35, 0x5e
|
|
+};
|
|
+
|
|
+
|
|
+/*
|
|
+ * AES-128 no df PR
|
|
+ */
|
|
+static const unsigned char aes_128_no_df_pr_entropyinput[] = {
|
|
+ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
|
|
+ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
|
|
+ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
|
|
+};
|
|
+static const unsigned char aes_128_no_df_pr_nonce[] = {
|
|
+ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1,
|
|
+};
|
|
+static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
|
|
+ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
|
|
+ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
|
|
+ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
|
|
+};
|
|
+static const unsigned char aes_128_no_df_pr_additionalinput[] = {
|
|
+ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
|
|
+ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
|
|
+ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
|
|
+};
|
|
+static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
|
|
+ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
|
|
+ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
|
|
+ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
|
|
+};
|
|
+static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
|
|
+ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
|
|
+ 0xaf, 0x19, 0x32, 0x16
|
|
+};
|
|
+static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
|
|
+ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
|
|
+ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
|
|
+ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
|
|
+};
|
|
+static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
|
|
+ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
|
|
+ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
|
|
+ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
|
|
+};
|
|
+static const unsigned char aes_128_no_df_pr_returnedbits[] = {
|
|
+ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
|
|
+ 0x57, 0x82, 0x33, 0xaf
|
|
+};
|
|
+
|
|
+
|
|
+/*
|
|
+ * AES-128 no df no PR
|
|
+ */
|
|
+static const unsigned char aes_128_no_df_entropyinput[] = {
|
|
+ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
|
|
+ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
|
|
+ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
|
|
+};
|
|
+static const unsigned char aes_128_no_df_nonce[] = {
|
|
+ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13,
|
|
+};
|
|
+static const unsigned char aes_128_no_df_personalizationstring[] = {
|
|
+ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
|
|
+ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
|
|
+ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
|
|
+};
|
|
+static const unsigned char aes_128_no_df_additionalinput[] = {
|
|
+ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
|
|
+ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
|
|
+ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
|
|
+};
|
|
+static const unsigned char aes_128_no_df_int_returnedbits[] = {
|
|
+ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
|
|
+ 0xed, 0x3e, 0x65, 0xc2
|
|
+};
|
|
+static const unsigned char aes_128_no_df_entropyinputreseed[] = {
|
|
+ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
|
|
+ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
|
|
+ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
|
|
+};
|
|
+static const unsigned char aes_128_no_df_additionalinputreseed[] = {
|
|
+ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
|
|
+ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
|
|
+ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
|
|
+};
|
|
+static const unsigned char aes_128_no_df_additionalinput2[] = {
|
|
+ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
|
|
+ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
|
|
+ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
|
|
+};
|
|
+static const unsigned char aes_128_no_df_returnedbits[] = {
|
|
+ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
|
|
+ 0x81, 0x37, 0x19, 0xd4
|
|
+};
|
|
+
|
|
+
|
|
+/*
|
|
+ * AES-192 no df PR
|
|
+ */
|
|
+static const unsigned char aes_192_no_df_pr_entropyinput[] = {
|
|
+ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
|
|
+ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
|
|
+ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
|
|
+ 0x17, 0x1f, 0x8d, 0x9a
|
|
+};
|
|
+static const unsigned char aes_192_no_df_pr_nonce[] = {
|
|
+ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
|
|
+ 0x61, 0x5c, 0xee, 0x0f
|
|
+};
|
|
+static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
|
|
+ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
|
|
+ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
|
|
+ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
|
|
+ 0x57, 0x2e, 0xe7, 0x55
|
|
+};
|
|
+static const unsigned char aes_192_no_df_pr_additionalinput[] = {
|
|
+ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
|
|
+ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
|
|
+ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
|
|
+ 0xe2, 0xd0, 0x0c, 0x2f
|
|
+};
|
|
+static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
|
|
+ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
|
|
+ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
|
|
+ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
|
|
+ 0x1d, 0x30, 0xb3, 0x78
|
|
+};
|
|
+static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
|
|
+ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
|
|
+ 0x7e, 0x3e, 0x0c, 0x26
|
|
+};
|
|
+static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
|
|
+ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
|
|
+ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
|
|
+ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
|
|
+ 0x0c, 0x4b, 0xee, 0x6e
|
|
+};
|
|
+static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
|
|
+ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
|
|
+ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
|
|
+ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
|
|
+ 0x8e, 0x0a, 0x83, 0xdf
|
|
+};
|
|
+static const unsigned char aes_192_no_df_pr_returnedbits[] = {
|
|
+ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
|
|
+ 0xb9, 0xa1, 0x21, 0x68
|
|
+};
|
|
+
|
|
+
|
|
+/*
|
|
+ * AES-192 no df no PR
|
|
+ */
|
|
+static const unsigned char aes_192_no_df_entropyinput[] = {
|
|
+ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
|
|
+ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
|
|
+ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
|
|
+ 0x94, 0xc3, 0x59, 0x63
|
|
+};
|
|
+static const unsigned char aes_192_no_df_nonce[] = {
|
|
+ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
|
|
+ 0x29, 0xfd, 0x45, 0x71
|
|
+};
|
|
+static const unsigned char aes_192_no_df_personalizationstring[] = {
|
|
+ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
|
|
+ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
|
|
+ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
|
|
+ 0x3b, 0x88, 0xce, 0x35
|
|
+};
|
|
+static const unsigned char aes_192_no_df_additionalinput[] = {
|
|
+ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
|
|
+ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
|
|
+ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
|
|
+ 0x3e, 0xbe, 0xd4, 0x8e
|
|
+};
|
|
+static const unsigned char aes_192_no_df_int_returnedbits[] = {
|
|
+ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
|
|
+ 0x45, 0xe7, 0x4a, 0xc5
|
|
+};
|
|
+static const unsigned char aes_192_no_df_entropyinputreseed[] = {
|
|
+ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
|
|
+ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
|
|
+ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
|
|
+ 0x9b, 0xcb, 0x7e, 0x75
|
|
+};
|
|
+static const unsigned char aes_192_no_df_additionalinputreseed[] = {
|
|
+ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
|
|
+ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
|
|
+ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
|
|
+ 0x5d, 0x7a, 0x25, 0x79
|
|
+};
|
|
+static const unsigned char aes_192_no_df_additionalinput2[] = {
|
|
+ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
|
|
+ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
|
|
+ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
|
|
+ 0x91, 0x6a, 0xe3, 0x5f
|
|
+};
|
|
+static const unsigned char aes_192_no_df_returnedbits[] = {
|
|
+ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
|
|
+ 0x66, 0x67, 0x2c, 0x92
|
|
+};
|
|
+
|
|
+
|
|
+/*
|
|
+ * AES-256 no df PR
|
|
+ */
|
|
+static const unsigned char aes_256_no_df_pr_entropyinput[] = {
|
|
+ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
|
|
+ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
|
|
+ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
|
|
+ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c,
|
|
+};
|
|
+static const unsigned char aes_256_no_df_pr_nonce[] = {
|
|
+ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
|
|
+ 0xcc, 0x4b, 0xee, 0x2e
|
|
+};
|
|
+static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
|
|
+ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
|
|
+ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
|
|
+ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
|
|
+ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06,
|
|
+};
|
|
+static const unsigned char aes_256_no_df_pr_additionalinput[] = {
|
|
+ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
|
|
+ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
|
|
+ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
|
|
+ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e,
|
|
+};
|
|
+static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
|
|
+ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
|
|
+ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
|
|
+ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
|
|
+ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f,
|
|
+};
|
|
+static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
|
|
+ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
|
|
+ 0x79, 0x60, 0x93, 0xcf
|
|
+};
|
|
+static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
|
|
+ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
|
|
+ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
|
|
+ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
|
|
+ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb,
|
|
+};
|
|
+static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
|
|
+ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
|
|
+ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
|
|
+ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
|
|
+ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f,
|
|
+};
|
|
+static const unsigned char aes_256_no_df_pr_returnedbits[] = {
|
|
+ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
|
|
+ 0x2d, 0x5f, 0x4a, 0x46
|
|
+};
|
|
+
|
|
+
|
|
+/*
|
|
+ * AES-256 no df no PR
|
|
+ */
|
|
+static const unsigned char aes_256_no_df_entropyinput[] = {
|
|
+ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
|
|
+ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
|
|
+ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
|
|
+ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3,
|
|
+};
|
|
+static const unsigned char aes_256_no_df_nonce[] = {
|
|
+ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
|
|
+ 0x43, 0x96, 0xb9, 0xf0
|
|
+};
|
|
+static const unsigned char aes_256_no_df_personalizationstring[] = {
|
|
+ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
|
|
+ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
|
|
+ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
|
|
+ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d,
|
|
+};
|
|
+static const unsigned char aes_256_no_df_additionalinput[] = {
|
|
+ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
|
|
+ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
|
|
+ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
|
|
+ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17,
|
|
+};
|
|
+static const unsigned char aes_256_no_df_int_returnedbits[] = {
|
|
+ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
|
|
+ 0xd2, 0x25, 0x75, 0x0e
|
|
+};
|
|
+static const unsigned char aes_256_no_df_entropyinputreseed[] = {
|
|
+ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
|
|
+ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
|
|
+ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
|
|
+ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb,
|
|
+};
|
|
+static const unsigned char aes_256_no_df_additionalinputreseed[] = {
|
|
+ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
|
|
+ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
|
|
+ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
|
|
+ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29,
|
|
+};
|
|
+static const unsigned char aes_256_no_df_additionalinput2[] = {
|
|
+ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
|
|
+ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
|
|
+ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
|
|
+ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6,
|
|
+};
|
|
+static const unsigned char aes_256_no_df_returnedbits[] = {
|
|
+ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
|
|
+ 0xf6, 0x02, 0x32, 0xe2
|
|
+};
|
|
Index: openssl-1.1.1g/crypto/fips/fips_post.c
|
|
===================================================================
|
|
--- openssl-1.1.1g.orig/crypto/fips/fips_post.c 2020-05-15 16:18:44.030685013 +0200
|
|
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-05-15 16:19:01.662586731 +0200
|
|
@@ -51,7 +51,6 @@
|
|
|
|
#include <openssl/crypto.h>
|
|
#include <openssl/rand.h>
|
|
-#include <openssl/fips_rand.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/bio.h>
|
|
#include <openssl/hmac.h>
|
|
Index: openssl-1.1.1g/crypto/fips/build.info
|
|
===================================================================
|
|
--- openssl-1.1.1g.orig/crypto/fips/build.info 2020-05-15 16:18:44.030685013 +0200
|
|
+++ openssl-1.1.1g/crypto/fips/build.info 2020-05-15 16:19:01.662586731 +0200
|
|
@@ -2,7 +2,7 @@ LIBS=../../libcrypto
|
|
SOURCE[../../libcrypto]=\
|
|
fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \
|
|
fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \
|
|
- fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
|
|
+ fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
|
|
fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
|
|
fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
|
|
fips_dh_selftest.c fips_ers.c
|
|
Index: openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c
|
|
===================================================================
|
|
--- openssl-1.1.1g.orig/crypto/fips/fips_drbg_selftest.c 2020-05-15 16:18:44.030685013 +0200
|
|
+++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-05-15 16:19:01.666586709 +0200
|
|
@@ -774,6 +774,7 @@ int FIPS_drbg_health_check(DRBG_CTX *dct
|
|
return rv;
|
|
}
|
|
|
|
+#if 0
|
|
int FIPS_selftest_drbg(void)
|
|
{
|
|
DRBG_CTX *dctx;
|
|
@@ -798,6 +799,7 @@ int FIPS_selftest_drbg(void)
|
|
FIPS_drbg_free(dctx);
|
|
return rv;
|
|
}
|
|
+#endif
|
|
|
|
int FIPS_selftest_drbg_all(void)
|
|
{
|
|
Index: openssl-1.1.1g/crypto/fips/fips.c
|
|
===================================================================
|
|
--- openssl-1.1.1g.orig/crypto/fips/fips.c 2020-05-15 16:18:44.030685013 +0200
|
|
+++ openssl-1.1.1g/crypto/fips/fips.c 2020-05-15 16:19:01.666586709 +0200
|
|
@@ -50,7 +50,6 @@
|
|
#define _GNU_SOURCE
|
|
|
|
#include <openssl/rand.h>
|
|
-#include <openssl/fips_rand.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/bio.h>
|
|
#include <openssl/hmac.h>
|