SHA256
1
0
forked from pool/openssl-1_1
openssl-1_1/openssl-fips_selftest_upstream_drbg.patch

1826 lines
64 KiB
Diff
Raw Normal View History

Index: openssl-1.1.1g/crypto/fips/drbgtest.c
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.1.1g/crypto/fips/drbgtest.c 2020-05-15 16:20:15.962172616 +0200
@@ -0,0 +1,1179 @@
+/*
+ * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include "internal/nelem.h"
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/obj_mac.h>
+#include <openssl/evp.h>
+#include <openssl/aes.h>
+#include "../crypto/rand/rand_local.h"
+#include "../include/crypto/rand.h"
+
+#if defined(_WIN32)
+# include <windows.h>
+#endif
+
+
+#if defined(OPENSSL_SYS_UNIX)
+# include <sys/types.h>
+# include <sys/wait.h>
+# include <unistd.h>
+#endif
+
+#include "../../test/drbgtest.h"
+
+typedef struct drbg_selftest_data_st {
+ int post;
+ int nid;
+ unsigned int flags;
+
+ /* KAT data for no PR */
+ const unsigned char *entropy;
+ size_t entropylen;
+ const unsigned char *nonce;
+ size_t noncelen;
+ const unsigned char *pers;
+ size_t perslen;
+ const unsigned char *adin;
+ size_t adinlen;
+ const unsigned char *entropyreseed;
+ size_t entropyreseedlen;
+ const unsigned char *adinreseed;
+ size_t adinreseedlen;
+ const unsigned char *adin2;
+ size_t adin2len;
+ const unsigned char *expected;
+ size_t exlen;
+ const unsigned char *kat2;
+ size_t kat2len;
+
+ /* KAT data for PR */
+ const unsigned char *entropy_pr;
+ size_t entropylen_pr;
+ const unsigned char *nonce_pr;
+ size_t noncelen_pr;
+ const unsigned char *pers_pr;
+ size_t perslen_pr;
+ const unsigned char *adin_pr;
+ size_t adinlen_pr;
+ const unsigned char *entropypr_pr;
+ size_t entropyprlen_pr;
+ const unsigned char *ading_pr;
+ size_t adinglen_pr;
+ const unsigned char *entropyg_pr;
+ size_t entropyglen_pr;
+ const unsigned char *kat_pr;
+ size_t katlen_pr;
+ const unsigned char *kat2_pr;
+ size_t kat2len_pr;
+} DRBG_SELFTEST_DATA;
+
+#define make_drbg_test_data(nid, flag, pr, post) {\
+ post, nid, flag, \
+ pr##_entropyinput, sizeof(pr##_entropyinput), \
+ pr##_nonce, sizeof(pr##_nonce), \
+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
+ pr##_additionalinput, sizeof(pr##_additionalinput), \
+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
+ pr##_returnedbits, sizeof(pr##_returnedbits), \
+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \
+ }
+
+#define make_drbg_test_data_use_df(nid, pr, p) \
+ make_drbg_test_data(nid, 0, pr, p)
+
+#define make_drbg_test_data_no_df(nid, pr, p) \
+ make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_NO_DF, pr, p)
+
+static DRBG_SELFTEST_DATA drbg_test[] = {
+ make_drbg_test_data_no_df (NID_aes_128_ctr, aes_128_no_df, 0),
+ make_drbg_test_data_no_df (NID_aes_192_ctr, aes_192_no_df, 0),
+ make_drbg_test_data_no_df (NID_aes_256_ctr, aes_256_no_df, 1),
+ make_drbg_test_data_use_df(NID_aes_128_ctr, aes_128_use_df, 0),
+ make_drbg_test_data_use_df(NID_aes_192_ctr, aes_192_use_df, 0),
+ make_drbg_test_data_use_df(NID_aes_256_ctr, aes_256_use_df, 1),
+};
+
+static int app_data_index;
+
+/*
+ * Test context data, attached as EXDATA to the RAND_DRBG
+ */
+typedef struct test_ctx_st {
+ const unsigned char *entropy;
+ size_t entropylen;
+ int entropycnt;
+ const unsigned char *nonce;
+ size_t noncelen;
+ int noncecnt;
+} TEST_CTX;
+
+static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance)
+{
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
+
+ t->entropycnt++;
+ *pout = (unsigned char *)t->entropy;
+ return t->entropylen;
+}
+
+static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
+
+ t->noncecnt++;
+ *pout = (unsigned char *)t->nonce;
+ return t->noncelen;
+}
+
+ /*
+ * Disable CRNG testing if it is enabled.
+ * If the DRBG is ready or in an error state, this means an instantiate cycle
+ * for which the default personalisation string is used.
+ */
+static int disable_crngt(RAND_DRBG *drbg)
+{
+ static const char pers[] = DRBG_DEFAULT_PERS_STRING;
+ const int instantiate = drbg->state != DRBG_UNINITIALISED;
+
+ if (drbg->get_entropy != rand_crngt_get_entropy)
+ return 1;
+
+ if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
+ || !RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
+ &rand_drbg_cleanup_entropy,
+ &rand_drbg_get_nonce,
+ &rand_drbg_cleanup_nonce)
+ || (instantiate
+ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
+ sizeof(pers) - 1)))
+ return 0;
+ return 1;
+}
+
+static int uninstantiate(RAND_DRBG *drbg)
+{
+ int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
+
+ ERR_clear_error();
+ return ret;
+}
+
+/*
+ * Do a single KAT test. Return 0 on failure.
+ */
+static int single_kat(DRBG_SELFTEST_DATA *td)
+{
+ RAND_DRBG *drbg = NULL;
+ TEST_CTX t;
+ int failures = 0;
+ unsigned char buff[1024];
+
+ /*
+ * Test without PR: Instantiate DRBG with test entropy, nonce and
+ * personalisation string.
+ */
+ if ((drbg = RAND_DRBG_new(td->nid, td->flags, NULL)) == NULL)
+ return 0;
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+ kat_nonce, NULL)
+ || !disable_crngt(drbg)) {
+ failures++;
+ goto err;
+ }
+ memset(&t, 0, sizeof(t));
+ t.entropy = td->entropy;
+ t.entropylen = td->entropylen;
+ t.nonce = td->nonce;
+ t.noncelen = td->noncelen;
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
+
+ if (!RAND_DRBG_instantiate(drbg, td->pers, td->perslen)
+ || !RAND_DRBG_generate(drbg, buff, td->exlen, 0,
+ td->adin, td->adinlen)
+ || memcmp(td->expected, buff, td->exlen))
+ failures++;
+
+ /* Reseed DRBG with test entropy and additional input */
+ t.entropy = td->entropyreseed;
+ t.entropylen = td->entropyreseedlen;
+ if (!RAND_DRBG_reseed(drbg, td->adinreseed, td->adinreseedlen, 0)
+ || !RAND_DRBG_generate(drbg, buff, td->kat2len, 0,
+ td->adin2, td->adin2len)
+ || memcmp(td->kat2, buff, td->kat2len))
+ failures++;
+ uninstantiate(drbg);
+
+ /*
+ * Now test with PR: Instantiate DRBG with test entropy, nonce and
+ * personalisation string.
+ */
+ if (!RAND_DRBG_set(drbg, td->nid, td->flags)
+ || !RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+ kat_nonce, NULL))
+ failures++;
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
+ t.entropy = td->entropy_pr;
+ t.entropylen = td->entropylen_pr;
+ t.nonce = td->nonce_pr;
+ t.noncelen = td->noncelen_pr;
+ t.entropycnt = 0;
+ t.noncecnt = 0;
+ if (!RAND_DRBG_instantiate(drbg, td->pers_pr, td->perslen_pr))
+ failures++;
+
+ /*
+ * Now generate with PR: we need to supply entropy as this will
+ * perform a reseed operation.
+ */
+ t.entropy = td->entropypr_pr;
+ t.entropylen = td->entropyprlen_pr;
+ if (!RAND_DRBG_generate(drbg, buff, td->katlen_pr, 1,
+ td->adin_pr, td->adinlen_pr)
+ || memcmp(td->kat_pr, buff, td->katlen_pr))
+ failures++;
+
+ /*
+ * Now generate again with PR: supply new entropy again.
+ */
+ t.entropy = td->entropyg_pr;
+ t.entropylen = td->entropyglen_pr;
+
+ if (!RAND_DRBG_generate(drbg, buff, td->kat2len_pr, 1,
+ td->ading_pr, td->adinglen_pr)
+ || memcmp(td->kat2_pr, buff, td->kat2len_pr))
+ failures++;
+
+err:
+ uninstantiate(drbg);
+ RAND_DRBG_free(drbg);
+ return failures == 0;
+}
+
+/*
+ * Initialise a DRBG based on selftest data
+ */
+static int init(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td, TEST_CTX *t)
+{
+ if (!RAND_DRBG_set(drbg, td->nid, td->flags)
+ || !RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+ kat_nonce, NULL))
+ return 0;
+ RAND_DRBG_set_ex_data(drbg, app_data_index, t);
+ t->entropy = td->entropy;
+ t->entropylen = td->entropylen;
+ t->nonce = td->nonce;
+ t->noncelen = td->noncelen;
+ t->entropycnt = 0;
+ t->noncecnt = 0;
+ return 1;
+}
+
+/*
+ * Initialise and instantiate DRBG based on selftest data
+ */
+static int instantiate(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td,
+ TEST_CTX *t)
+{
+ if (!init(drbg, td, t)
+ || !RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
+ return 0;
+ return 1;
+}
+
+/*
+ * Perform extensive error checking as required by SP800-90.
+ * Induce several failure modes and check an error condition is set.
+ */
+static int error_check(DRBG_SELFTEST_DATA *td)
+{
+ static char zero[sizeof(RAND_DRBG)];
+ RAND_DRBG *drbg = NULL;
+ TEST_CTX t;
+ unsigned char buff[1024];
+ unsigned int reseed_counter_tmp;
+ int ret = 0;
+
+ if (!(drbg = RAND_DRBG_new(0, 0, NULL))
+ || !disable_crngt(drbg))
+ goto err;
+
+ /*
+ * Personalisation string tests
+ */
+
+ /* Test detection of too large personalisation string */
+ if (!init(drbg, td, &t)
+ || RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1) > 0)
+ goto err;
+
+ /*
+ * Entropy source tests
+ */
+
+ /* Test entropy source failure detection: i.e. returns no data */
+ t.entropylen = 0;
+ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0)
+ goto err;
+
+ /* Try to generate output from uninstantiated DRBG */
+ if (RAND_DRBG_generate(drbg, buff, td->exlen, 0,
+ td->adin, td->adinlen)
+ || !uninstantiate(drbg))
+ goto err;
+
+ /* Test insufficient entropy */
+ if (!init(drbg, td, &t))
+ goto err;
+ t.entropylen = drbg->min_entropylen - 1;
+ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
+ || !uninstantiate(drbg))
+ goto err;
+
+ /* Test too much entropy */
+ if (!init(drbg, td, &t))
+ goto err;
+ t.entropylen = drbg->max_entropylen + 1;
+ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
+ || !uninstantiate(drbg))
+ goto err;
+
+ /*
+ * Nonce tests
+ */
+
+ /* Test too small nonce */
+ if (drbg->min_noncelen) {
+ if (!init(drbg, td, &t))
+ goto err;
+ t.noncelen = drbg->min_noncelen - 1;
+ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
+ || !uninstantiate(drbg))
+ goto err;
+ }
+
+ /* Test too large nonce */
+ if (drbg->max_noncelen) {
+ if (!init(drbg, td, &t))
+ goto err;
+ t.noncelen = drbg->max_noncelen + 1;
+ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
+ || !uninstantiate(drbg))
+ goto err;
+ }
+
+ /* Instantiate with valid data, Check generation is now OK */
+ if (!instantiate(drbg, td, &t)
+ || !RAND_DRBG_generate(drbg, buff, td->exlen, 0,
+ td->adin, td->adinlen))
+ goto err;
+
+ /* Request too much data for one request */
+ if (RAND_DRBG_generate(drbg, buff, drbg->max_request + 1, 0,
+ td->adin, td->adinlen))
+ goto err;
+
+ /* Try too large additional input */
+ if (RAND_DRBG_generate(drbg, buff, td->exlen, 0,
+ td->adin, drbg->max_adinlen + 1))
+ goto err;
+
+ /*
+ * Check prediction resistance request fails if entropy source
+ * failure.
+ */
+ t.entropylen = 0;
+ if (RAND_DRBG_generate(drbg, buff, td->exlen, 1,
+ td->adin, td->adinlen)
+ || !uninstantiate(drbg))
+ goto err;
+
+ /* Instantiate again with valid data */
+ if (!instantiate(drbg, td, &t))
+ goto err;
+ reseed_counter_tmp = drbg->generate_counter;
+ drbg->generate_counter = drbg->reseed_interval;
+
+ /* Generate output and check entropy has been requested for reseed */
+ t.entropycnt = 0;
+ if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0,
+ td->adin, td->adinlen)
+ || t.entropycnt != 1
+ || drbg->generate_counter != reseed_counter_tmp + 1
+ || !uninstantiate(drbg))
+ goto err;
+
+ /*
+ * Check prediction resistance request fails if entropy source
+ * failure.
+ */
+ t.entropylen = 0;
+ if (RAND_DRBG_generate(drbg, buff, td->exlen, 1,
+ td->adin, td->adinlen)
+ || !uninstantiate(drbg))
+ goto err;
+
+ /* Test reseed counter works */
+ if (!instantiate(drbg, td, &t))
+ goto err;
+ reseed_counter_tmp = drbg->generate_counter;
+ drbg->generate_counter = drbg->reseed_interval;
+
+ /* Generate output and check entropy has been requested for reseed */
+ t.entropycnt = 0;
+ if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0,
+ td->adin, td->adinlen)
+ || t.entropycnt != 1
+ || drbg->generate_counter != reseed_counter_tmp + 1
+ || !uninstantiate(drbg))
+ goto err;
+
+ /*
+ * Explicit reseed tests
+ */
+
+ /* Test explicit reseed with too large additional input */
+ if (!instantiate(drbg, td, &t)
+ || RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0) > 0)
+ goto err;
+
+ /* Test explicit reseed with entropy source failure */
+ t.entropylen = 0;
+ if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0
+ || !uninstantiate(drbg))
+ goto err;
+
+ /* Test explicit reseed with too much entropy */
+ if (!instantiate(drbg, td, &t))
+ goto err;
+ t.entropylen = drbg->max_entropylen + 1;
+ if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0
+ || !uninstantiate(drbg))
+ goto err;
+
+ /* Test explicit reseed with too little entropy */
+ if (!instantiate(drbg, td, &t))
+ goto err;
+ t.entropylen = drbg->min_entropylen - 1;
+ if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0
+ || !uninstantiate(drbg))
+ goto err;
+
+ /* Standard says we have to check uninstantiate really zeroes */
+ /*
+ * RAND_DRBG_uninstantiate() cleanses the data via drbg_ctr_uninstantiate(),
+ * but right after that it resets drbg->data.ctr using RAND_DRBG_set(), so
+ * the following memcmp will fail.
+ */
+#if 0
+ if (memcmp(zero, &drbg->data, sizeof(drbg->data)))
+ goto err;
+#endif
+
+ ret = 1;
+
+err:
+ uninstantiate(drbg);
+ RAND_DRBG_free(drbg);
+ return ret;
+}
+
+static int test_kats(int i)
+{
+ DRBG_SELFTEST_DATA *td = &drbg_test[i];
+ int rv = 0;
+
+ if (!single_kat(td))
+ goto err;
+ rv = 1;
+
+err:
+ return rv;
+}
+
+static int test_error_checks(int i)
+{
+ DRBG_SELFTEST_DATA *td = &drbg_test[i];
+ int rv = 0;
+
+ if (!error_check(td))
+ goto err;
+ rv = 1;
+
+err:
+ return rv;
+}
+
+/*
+ * Hook context data, attached as EXDATA to the RAND_DRBG
+ */
+typedef struct hook_ctx_st {
+ RAND_DRBG *drbg;
+ /*
+ * Currently, all DRBGs use the same get_entropy() callback.
+ * The tests however, don't assume this and store
+ * the original callback for every DRBG separately.
+ */
+ RAND_DRBG_get_entropy_fn get_entropy;
+ /* forces a failure of the get_entropy() call if nonzero */
+ int fail;
+ /* counts successful reseeds */
+ int reseed_count;
+} HOOK_CTX;
+
+static HOOK_CTX master_ctx, public_ctx, private_ctx;
+
+static HOOK_CTX *get_hook_ctx(RAND_DRBG *drbg)
+{
+ return (HOOK_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
+}
+
+/* Intercepts and counts calls to the get_entropy() callback */
+static size_t get_entropy_hook(RAND_DRBG *drbg, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance)
+{
+ size_t ret;
+ HOOK_CTX *ctx = get_hook_ctx(drbg);
+
+ if (ctx->fail != 0)
+ return 0;
+
+ ret = ctx->get_entropy(drbg, pout, entropy, min_len, max_len,
+ prediction_resistance);
+
+ if (ret != 0)
+ ctx->reseed_count++;
+ return ret;
+}
+
+/* Installs a hook for the get_entropy() callback of the given drbg */
+static void hook_drbg(RAND_DRBG *drbg, HOOK_CTX *ctx)
+{
+ memset(ctx, 0, sizeof(*ctx));
+ ctx->drbg = drbg;
+ ctx->get_entropy = drbg->get_entropy;
+ drbg->get_entropy = get_entropy_hook;
+ RAND_DRBG_set_ex_data(drbg, app_data_index, ctx);
+}
+
+/* Installs the hook for the get_entropy() callback of the given drbg */
+static void unhook_drbg(RAND_DRBG *drbg)
+{
+ HOOK_CTX *ctx = get_hook_ctx(drbg);
+
+ drbg->get_entropy = ctx->get_entropy;
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data);
+}
+
+/* Resets the given hook context */
+static void reset_hook_ctx(HOOK_CTX *ctx)
+{
+ ctx->fail = 0;
+ ctx->reseed_count = 0;
+}
+
+/* Resets all drbg hook contexts */
+static void reset_drbg_hook_ctx(void)
+{
+ reset_hook_ctx(&master_ctx);
+ reset_hook_ctx(&public_ctx);
+ reset_hook_ctx(&private_ctx);
+}
+
+/*
+ * Generates random output using RAND_bytes() and RAND_priv_bytes()
+ * and checks whether the three shared DRBGs were reseeded as
+ * expected.
+ *
+ * |expect_success|: expected outcome (as reported by RAND_status())
+ * |master|, |public|, |private|: pointers to the three shared DRBGs
+ * |expect_xxx_reseed| =
+ * 1: it is expected that the specified DRBG is reseeded
+ * 0: it is expected that the specified DRBG is not reseeded
+ * -1: don't check whether the specified DRBG was reseeded or not
+ * |reseed_time|: if nonzero, used instead of time(NULL) to set the
+ * |before_reseed| time.
+ */
+static int test_drbg_reseed(int expect_success,
+ RAND_DRBG *master,
+ RAND_DRBG *public,
+ RAND_DRBG *private,
+ int expect_master_reseed,
+ int expect_public_reseed,
+ int expect_private_reseed,
+ time_t reseed_time
+ )
+{
+ unsigned char buf[32];
+ time_t before_reseed, after_reseed;
+ int expected_state = (expect_success ? DRBG_READY : DRBG_ERROR);
+
+ /*
+ * step 1: check preconditions
+ */
+
+ /* Test whether seed propagation is enabled */
+ if (master->reseed_counter == 0
+ || public->reseed_counter == 0
+ || private->reseed_counter == 0)
+ return 0;
+
+ /* Check whether the master DRBG's reseed counter is the largest one */
+ if (public->reseed_counter > master->reseed_counter
+ || private->reseed_counter > master->reseed_counter)
+ return 0;
+
+ /*
+ * step 2: generate random output
+ */
+
+ if (reseed_time == 0)
+ reseed_time = time(NULL);
+
+ /* Generate random output from the public and private DRBG */
+ before_reseed = expect_master_reseed == 1 ? reseed_time : 0;
+ if (RAND_bytes(buf, sizeof(buf)) != expect_success
+ || RAND_priv_bytes(buf, sizeof(buf)) != expect_success)
+ return 0;
+ after_reseed = time(NULL);
+
+
+ /*
+ * step 3: check postconditions
+ */
+
+ /* Test whether reseeding succeeded as expected */
+ if (master->state != expected_state
+ || public->state != expected_state
+ || private->state != expected_state)
+ return 0;
+
+ if (expect_master_reseed >= 0) {
+ /* Test whether master DRBG was reseeded as expected */
+ if (master_ctx.reseed_count != expect_master_reseed)
+ return 0;
+ }
+
+ if (expect_public_reseed >= 0) {
+ /* Test whether public DRBG was reseeded as expected */
+ if (public_ctx.reseed_count != expect_public_reseed)
+ return 0;
+ }
+
+ if (expect_private_reseed >= 0) {
+ /* Test whether public DRBG was reseeded as expected */
+ if (private_ctx.reseed_count != expect_private_reseed)
+ return 0;
+ }
+
+ if (expect_success == 1) {
+ /* Test whether all three reseed counters are synchronized */
+ if (public->reseed_counter != master->reseed_counter
+ || private->reseed_counter != master->reseed_counter)
+ return 0;
+
+ /* Test whether reseed time of master DRBG is set correctly */
+ if (before_reseed > master->reseed_time
+ || master->reseed_time > after_reseed)
+ return 0;
+
+ /* Test whether reseed times of child DRBGs are synchronized with master */
+ if (public->reseed_time < master->reseed_time
+ || private->reseed_time < master->reseed_time)
+ return 0;
+ } else {
+ ERR_clear_error();
+ }
+
+ return 1;
+}
+
+
+#if defined(OPENSSL_SYS_UNIX)
+/*
+ * Test whether master, public and private DRBG are reseeded after
+ * forking the process.
+ */
+static int test_drbg_reseed_after_fork(RAND_DRBG *master,
+ RAND_DRBG *public,
+ RAND_DRBG *private)
+{
+ pid_t pid;
+ int status=0;
+
+ pid = fork();
+ if (pid < 0)
+ return 0;
+
+ if (pid > 0) {
+ /* I'm the parent; wait for the child and check its exit code */
+ return (waitpid(pid, &status, 0) == pid) && status == 0;
+ }
+
+ /* I'm the child; check whether all three DRBGs reseed. */
+ if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, 0))
+ status = 1;
+
+ /* Remove hooks */
+ unhook_drbg(master);
+ unhook_drbg(public);
+ unhook_drbg(private);
+ exit(status);
+}
+#endif
+
+/*
+ * Test whether the default rand_method (RAND_OpenSSL()) is
+ * setup correctly, in particular whether reseeding works
+ * as designed.
+ */
+static int test_rand_drbg_reseed(void)
+{
+ RAND_DRBG *master, *public, *private;
+ unsigned char rand_add_buf[256];
+ int rv=0;
+ time_t before_reseed;
+
+ /* Check whether RAND_OpenSSL() is the default method */
+ if (RAND_get_rand_method() != RAND_OpenSSL())
+ return 0;
+
+ /* All three DRBGs should be non-null */
+ if (!(master = RAND_DRBG_get0_master())
+ || !(public = RAND_DRBG_get0_public())
+ || !(private = RAND_DRBG_get0_private()))
+ return 0;
+
+ /* There should be three distinct DRBGs, two of them chained to master */
+ if (public == private
+ || public == master
+ || private == master
+ || public->parent != master
+ || private->parent != master)
+ return 0;
+
+ /* Disable CRNG testing for the master DRBG */
+ if (!disable_crngt(master))
+ return 0;
+
+ /* uninstantiate the three global DRBGs */
+ RAND_DRBG_uninstantiate(private);
+ RAND_DRBG_uninstantiate(public);
+ RAND_DRBG_uninstantiate(master);
+
+
+ /* Install hooks for the following tests */
+ hook_drbg(master, &master_ctx);
+ hook_drbg(public, &public_ctx);
+ hook_drbg(private, &private_ctx);
+
+
+ /*
+ * Test initial seeding of shared DRBGs
+ */
+ if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, 0))
+ goto error;
+ reset_drbg_hook_ctx();
+
+
+ /*
+ * Test initial state of shared DRBGs
+ */
+ if (!test_drbg_reseed(1, master, public, private, 0, 0, 0, 0))
+ goto error;
+ reset_drbg_hook_ctx();
+
+ /*
+ * Test whether the public and private DRBG are both reseeded when their
+ * reseed counters differ from the master's reseed counter.
+ */
+ master->reseed_counter++;
+ if (!test_drbg_reseed(1, master, public, private, 0, 1, 1, 0))
+ goto error;
+ reset_drbg_hook_ctx();
+
+ /*
+ * Test whether the public DRBG is reseeded when its reseed counter differs
+ * from the master's reseed counter.
+ */
+ master->reseed_counter++;
+ private->reseed_counter++;
+ if (!test_drbg_reseed(1, master, public, private, 0, 1, 0, 0))
+ goto error;
+ reset_drbg_hook_ctx();
+
+ /*
+ * Test whether the private DRBG is reseeded when its reseed counter differs
+ * from the master's reseed counter.
+ */
+ master->reseed_counter++;
+ public->reseed_counter++;
+ if (!test_drbg_reseed(1, master, public, private, 0, 0, 1, 0))
+ goto error;
+ reset_drbg_hook_ctx();
+
+#if defined(OPENSSL_SYS_UNIX)
+ if (!test_drbg_reseed_after_fork(master, public, private))
+ goto error;
+#endif
+
+ /* fill 'randomness' buffer with some arbitrary data */
+ memset(rand_add_buf, 'r', sizeof(rand_add_buf));
+
+ /*
+ * Test whether all three DRBGs are reseeded by RAND_add().
+ * The before_reseed time has to be measured here and passed into the
+ * test_drbg_reseed() test, because the master DRBG gets already reseeded
+ * in RAND_add(), whence the check for the condition
+ * before_reseed <= master->reseed_time will fail if the time value happens
+ * to increase between the RAND_add() and the test_drbg_reseed() call.
+ */
+ before_reseed = time(NULL);
+ RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
+ if (!test_drbg_reseed(1, master, public, private, 1, 1, 1,
+ before_reseed))
+ goto error;
+ reset_drbg_hook_ctx();
+
+
+ /*
+ * Test whether none of the DRBGs is reseed if the master fails to reseed
+ */
+ master_ctx.fail = 1;
+ master->reseed_counter++;
+ RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
+ if (!test_drbg_reseed(0, master, public, private, 0, 0, 0, 0))
+ goto error;
+ reset_drbg_hook_ctx();
+
+ rv = 1;
+
+error:
+ /* Remove hooks */
+ unhook_drbg(master);
+ unhook_drbg(public);
+ unhook_drbg(private);
+
+ return rv;
+}
+
+#if defined(OPENSSL_THREADS)
+static int multi_thread_rand_bytes_succeeded = 1;
+static int multi_thread_rand_priv_bytes_succeeded = 1;
+
+static void run_multi_thread_test(void)
+{
+ unsigned char buf[256];
+ time_t start = time(NULL);
+ RAND_DRBG *public = NULL, *private = NULL;
+
+ if (!(public = RAND_DRBG_get0_public())
+ || !(private = RAND_DRBG_get0_private())) {
+ multi_thread_rand_bytes_succeeded = 0;
+ return;
+ }
+ RAND_DRBG_set_reseed_time_interval(private, 1);
+ RAND_DRBG_set_reseed_time_interval(public, 1);
+
+ do {
+ if (RAND_bytes(buf, sizeof(buf)) <= 0)
+ multi_thread_rand_bytes_succeeded = 0;
+ if (RAND_priv_bytes(buf, sizeof(buf)) <= 0)
+ multi_thread_rand_priv_bytes_succeeded = 0;
+ }
+ while(time(NULL) - start < 5);
+}
+
+# if defined(OPENSSL_SYS_WINDOWS)
+
+typedef HANDLE thread_t;
+
+static DWORD WINAPI thread_run(LPVOID arg)
+{
+ run_multi_thread_test();
+ /*
+ * Because we're linking with a static library, we must stop each
+ * thread explicitly, or so says OPENSSL_thread_stop(3)
+ */
+ OPENSSL_thread_stop();
+ return 0;
+}
+
+static int run_thread(thread_t *t)
+{
+ *t = CreateThread(NULL, 0, thread_run, NULL, 0, NULL);
+ return *t != NULL;
+}
+
+static int wait_for_thread(thread_t thread)
+{
+ return WaitForSingleObject(thread, INFINITE) == 0;
+}
+
+# else
+
+typedef pthread_t thread_t;
+
+static void *thread_run(void *arg)
+{
+ run_multi_thread_test();
+ /*
+ * Because we're linking with a static library, we must stop each
+ * thread explicitly, or so says OPENSSL_thread_stop(3)
+ */
+ OPENSSL_thread_stop();
+ return NULL;
+}
+
+static int run_thread(thread_t *t)
+{
+ return pthread_create(t, NULL, thread_run, NULL) == 0;
+}
+
+static int wait_for_thread(thread_t thread)
+{
+ return pthread_join(thread, NULL) == 0;
+}
+
+# endif
+
+/*
+ * The main thread will also run the test, so we'll have THREADS+1 parallel
+ * tests running
+ */
+# define THREADS 3
+
+static int test_multi_thread(void)
+{
+ thread_t t[THREADS];
+ int i;
+
+ for (i = 0; i < THREADS; i++)
+ run_thread(&t[i]);
+ run_multi_thread_test();
+ for (i = 0; i < THREADS; i++)
+ wait_for_thread(t[i]);
+
+ if (!multi_thread_rand_bytes_succeeded)
+ return 0;
+ if (!multi_thread_rand_priv_bytes_succeeded)
+ return 0;
+
+ return 1;
+}
+#endif
+
+/*
+ * Test that instantiation with RAND_seed() works as expected
+ *
+ * If no os entropy source is available then RAND_seed(buffer, bufsize)
+ * is expected to succeed if and only if the buffer length is at least
+ * rand_drbg_seedlen(master) bytes.
+ *
+ * If an os entropy source is available then RAND_seed(buffer, bufsize)
+ * is expected to succeed always.
+ */
+static int test_rand_seed(void)
+{
+ RAND_DRBG *master = NULL;
+ unsigned char rand_buf[256];
+ size_t rand_buflen;
+ size_t required_seed_buflen = 0;
+
+ if (!(master = RAND_DRBG_get0_master())
+ || !disable_crngt(master))
+ return 0;
+
+#ifdef OPENSSL_RAND_SEED_NONE
+ required_seed_buflen = rand_drbg_seedlen(master);
+#endif
+
+ memset(rand_buf, 0xCD, sizeof(rand_buf));
+
+ for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) {
+ RAND_DRBG_uninstantiate(master);
+ RAND_seed(rand_buf, rand_buflen);
+
+ if (RAND_status() != (rand_buflen >= required_seed_buflen))
+ return 0;
+ }
+
+ return 1;
+}
+
+/*
+ * Test that adding additional data with RAND_add() works as expected
+ * when the master DRBG is instantiated (and below its reseed limit).
+ *
+ * This should succeed regardless of whether an os entropy source is
+ * available or not.
+ */
+static int test_rand_add(void)
+{
+ unsigned char rand_buf[256];
+ size_t rand_buflen;
+
+ memset(rand_buf, 0xCD, sizeof(rand_buf));
+
+ /* make sure it's instantiated */
+ RAND_seed(rand_buf, sizeof(rand_buf));
+ if (!RAND_status())
+ return 0;
+
+ for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) {
+ RAND_add(rand_buf, rand_buflen, 0.0);
+ if (!RAND_status())
+ return 0;
+ }
+
+ return 1;
+}
+
+/*
+ * A list of the FIPS DRGB types.
+ */
+static const struct s_drgb_types {
+ int nid;
+ int flags;
+} drgb_types[] = {
+ { NID_aes_128_ctr, 0 },
+ { NID_aes_192_ctr, 0 },
+ { NID_aes_256_ctr, 0 },
+};
+
+/* Six cases for each covers seed sizes up to 32 bytes */
+static const size_t crngt_num_cases = 6;
+
+static size_t crngt_case, crngt_idx;
+
+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
+ unsigned int *md_size)
+{
+ size_t i, z;
+
+ if (crngt_idx >= crngt_num_cases)
+ return 0;
+ /* Generate a block of unique data unless this is the duplication point */
+ z = crngt_idx++;
+ if (z > 0 && crngt_case == z)
+ z--;
+ for (i = 0; i < CRNGT_BUFSIZ; i++)
+ buf[i] = (unsigned char)(i + 'A' + z);
+ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
+}
+
+static int test_crngt(int n)
+{
+ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
+ RAND_DRBG *drbg = NULL;
+ unsigned char buff[100];
+ size_t ent;
+ int res = 0;
+ int expect;
+
+ if (!rand_crngt_single_init())
+ return 0;
+ rand_crngt_cleanup();
+
+ if (!(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
+ return 0;
+ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
+ crngt_case = n % crngt_num_cases;
+ crngt_idx = 0;
+ crngt_get_entropy = &crngt_entropy_cb;
+ if (!rand_crngt_init())
+ goto err;
+#ifndef OPENSSL_FIPS
+ if (!RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
+ &rand_crngt_cleanup_entropy,
+ &rand_drbg_get_nonce,
+ &rand_drbg_cleanup_nonce))
+ goto err;
+#endif
+ expect = crngt_case == 0 || crngt_case > ent;
+ if (RAND_DRBG_instantiate(drbg, NULL, 0) != expect)
+ goto err;
+ if (!expect)
+ goto fin;
+ if (!RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))
+ goto err;
+
+ expect = crngt_case == 0 || crngt_case > 2 * ent;
+ if (RAND_DRBG_reseed(drbg, NULL, 0, 0) != expect)
+ goto err;
+ if (!expect)
+ goto fin;
+ if (!RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))
+ goto err;
+
+fin:
+ res = 1;
+err:
+#if 0
+ if (!res)
+ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
+ crngt_case, crngt_idx);
+#endif
+ uninstantiate(drbg);
+ RAND_DRBG_free(drbg);
+ crngt_get_entropy = &rand_crngt_get_entropy_cb;
+ return res;
+}
+
+int FIPS_selftest_drbg(void)
+{
+ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
+ int i;
+
+ for (i = 0; i < OSSL_NELEM(drbg_test); i++) {
+ if (!test_kats(i))
+ return 0;
+ }
+ for (i = 0; i < OSSL_NELEM(drbg_test); i++) {
+ if (!test_error_checks(i))
+ return 0;
+ }
+
+#if 0
+ if (!test_rand_drbg_reseed())
+ return 0;
+ if (!test_rand_seed())
+ return 0;
+ if (!test_rand_add())
+ return 0;
+#if defined(OPENSSL_THREADS)
+ if (!test_multi_thread())
+ return 0;
+#endif
+ for (i = 0; i < crngt_num_cases * OSSL_NELEM(drgb_types); i++) {
+ if (!test_crngt(i))
+ return 0;
+ }
+#endif
+ return 1;
+}
+
Index: openssl-1.1.1g/crypto/fips/drbgtest.h
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.1.1g/crypto/fips/drbgtest.h 2020-05-15 16:19:01.662586731 +0200
@@ -0,0 +1,579 @@
+/*
+ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Known answer tests for SP800-90 DRBG CTR mode.
+ */
+
+
+/*
+ * AES-128 use df PR
+ */
+static const unsigned char aes_128_use_df_pr_entropyinput[] = {
+ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
+ 0xc8, 0xdb, 0xff, 0x12
+};
+static const unsigned char aes_128_use_df_pr_nonce[] = {
+ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
+};
+static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
+ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
+ 0xd7, 0xd7, 0x01, 0x67
+};
+static const unsigned char aes_128_use_df_pr_additionalinput[] = {
+ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
+ 0x9a, 0x47, 0x08, 0x76
+};
+static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
+ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
+ 0x09, 0xfb, 0xa3, 0xb6
+};
+static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
+ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
+ 0x66, 0x1c, 0xea, 0x5b
+};
+static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
+ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
+ 0x3f, 0x5e, 0x31, 0x06
+};
+static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
+ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
+ 0xa7, 0xe3, 0xa8, 0x67
+};
+static const unsigned char aes_128_use_df_pr_returnedbits[] = {
+ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
+ 0x0f, 0x38, 0x43, 0xc6
+};
+
+
+/*
+ * AES-128 use df no PR
+ */
+static const unsigned char aes_128_use_df_entropyinput[] = {
+ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
+ 0x9d, 0x7d, 0x1c, 0x9b
+};
+static const unsigned char aes_128_use_df_nonce[] = {
+ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96,
+};
+static const unsigned char aes_128_use_df_personalizationstring[] = {
+ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
+ 0x38, 0x66, 0xba, 0x1b
+};
+static const unsigned char aes_128_use_df_additionalinput[] = {
+ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
+ 0xb5, 0xe2, 0xb2, 0x41
+};
+static const unsigned char aes_128_use_df_int_returnedbits[] = {
+ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
+ 0xe7, 0x57, 0x11, 0xb4
+};
+static const unsigned char aes_128_use_df_entropyinputreseed[] = {
+ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
+ 0xc7, 0xc4, 0x9e, 0x39
+};
+static const unsigned char aes_128_use_df_additionalinputreseed[] = {
+ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
+ 0xc8, 0x93, 0xfa, 0x84
+};
+static const unsigned char aes_128_use_df_additionalinput2[] = {
+ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
+ 0x06, 0x0c, 0x15, 0x2c
+};
+static const unsigned char aes_128_use_df_returnedbits[] = {
+ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
+ 0x46, 0x81, 0xc7, 0x19
+};
+
+
+/*
+ * AES-192 use df PR
+ */
+static const unsigned char aes_192_use_df_pr_entropyinput[] = {
+ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
+ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
+};
+static const unsigned char aes_192_use_df_pr_nonce[] = {
+ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
+ 0xd1, 0x80, 0x78, 0xfa
+};
+static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
+ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
+ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
+ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
+};
+static const unsigned char aes_192_use_df_pr_additionalinput[] = {
+ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
+ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
+ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
+};
+static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
+ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
+ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5,
+};
+static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
+ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
+ 0x19, 0x30, 0x6b, 0x67
+};
+static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
+ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
+ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
+ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
+};
+static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
+ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
+ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e,
+};
+static const unsigned char aes_192_use_df_pr_returnedbits[] = {
+ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
+ 0x7e, 0x1a, 0x2b, 0x83
+};
+
+
+/*
+ * AES-192 use df no PR
+ */
+static const unsigned char aes_192_use_df_entropyinput[] = {
+ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
+ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b,
+};
+static const unsigned char aes_192_use_df_nonce[] = {
+ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
+ 0x77, 0xd7, 0x41, 0x0e
+};
+static const unsigned char aes_192_use_df_personalizationstring[] = {
+ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
+ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
+ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
+};
+static const unsigned char aes_192_use_df_additionalinput[] = {
+ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
+ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
+ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
+};
+static const unsigned char aes_192_use_df_int_returnedbits[] = {
+ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
+ 0xb7, 0xed, 0xe9, 0xea
+};
+static const unsigned char aes_192_use_df_entropyinputreseed[] = {
+ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
+ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01,
+};
+static const unsigned char aes_192_use_df_additionalinputreseed[] = {
+ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
+ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
+ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
+};
+static const unsigned char aes_192_use_df_additionalinput2[] = {
+ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
+ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
+ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
+};
+static const unsigned char aes_192_use_df_returnedbits[] = {
+ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
+ 0x1a, 0xf9, 0x13, 0x28
+};
+
+
+/*
+ * AES-256 use df PR
+ */
+static const unsigned char aes_256_use_df_pr_entropyinput[] = {
+ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
+ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
+ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
+};
+static const unsigned char aes_256_use_df_pr_nonce[] = {
+ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
+ 0x2b, 0x36, 0xff, 0xa4
+};
+static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
+ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
+ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
+ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
+};
+static const unsigned char aes_256_use_df_pr_additionalinput[] = {
+ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
+ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
+ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
+};
+static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
+ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
+ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
+ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
+};
+static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
+ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
+ 0x17, 0xab, 0x3c, 0x7a
+};
+static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
+ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
+ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
+ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
+};
+static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
+ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
+ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
+ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
+};
+static const unsigned char aes_256_use_df_pr_returnedbits[] = {
+ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
+ 0xd9, 0xe2, 0x97, 0x00
+};
+
+
+/*
+ * AES-256 use df no PR
+ */
+static const unsigned char aes_256_use_df_entropyinput[] = {
+ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
+ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
+ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
+};
+static const unsigned char aes_256_use_df_nonce[] = {
+ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
+ 0x4c, 0x44, 0x84, 0x40
+};
+static const unsigned char aes_256_use_df_personalizationstring[] = {
+ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
+ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
+ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
+};
+static const unsigned char aes_256_use_df_additionalinput[] = {
+ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
+ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
+ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
+};
+static const unsigned char aes_256_use_df_int_returnedbits[] = {
+ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
+ 0x28, 0x0c, 0x3b, 0xc1
+};
+static const unsigned char aes_256_use_df_entropyinputreseed[] = {
+ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
+ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
+ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
+};
+static const unsigned char aes_256_use_df_additionalinputreseed[] = {
+ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
+ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
+ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
+};
+static const unsigned char aes_256_use_df_additionalinput2[] = {
+ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
+ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
+ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
+};
+static const unsigned char aes_256_use_df_returnedbits[] = {
+ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
+ 0xfa, 0xfd, 0x35, 0x5e
+};
+
+
+/*
+ * AES-128 no df PR
+ */
+static const unsigned char aes_128_no_df_pr_entropyinput[] = {
+ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
+ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
+ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
+};
+static const unsigned char aes_128_no_df_pr_nonce[] = {
+ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1,
+};
+static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
+ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
+ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
+ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
+};
+static const unsigned char aes_128_no_df_pr_additionalinput[] = {
+ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
+ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
+ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
+};
+static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
+ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
+ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
+ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
+};
+static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
+ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
+ 0xaf, 0x19, 0x32, 0x16
+};
+static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
+ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
+ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
+ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
+};
+static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
+ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
+ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
+ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
+};
+static const unsigned char aes_128_no_df_pr_returnedbits[] = {
+ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
+ 0x57, 0x82, 0x33, 0xaf
+};
+
+
+/*
+ * AES-128 no df no PR
+ */
+static const unsigned char aes_128_no_df_entropyinput[] = {
+ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
+ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
+ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
+};
+static const unsigned char aes_128_no_df_nonce[] = {
+ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13,
+};
+static const unsigned char aes_128_no_df_personalizationstring[] = {
+ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
+ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
+ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
+};
+static const unsigned char aes_128_no_df_additionalinput[] = {
+ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
+ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
+ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
+};
+static const unsigned char aes_128_no_df_int_returnedbits[] = {
+ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
+ 0xed, 0x3e, 0x65, 0xc2
+};
+static const unsigned char aes_128_no_df_entropyinputreseed[] = {
+ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
+ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
+ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
+};
+static const unsigned char aes_128_no_df_additionalinputreseed[] = {
+ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
+ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
+ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
+};
+static const unsigned char aes_128_no_df_additionalinput2[] = {
+ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
+ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
+ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
+};
+static const unsigned char aes_128_no_df_returnedbits[] = {
+ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
+ 0x81, 0x37, 0x19, 0xd4
+};
+
+
+/*
+ * AES-192 no df PR
+ */
+static const unsigned char aes_192_no_df_pr_entropyinput[] = {
+ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
+ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
+ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
+ 0x17, 0x1f, 0x8d, 0x9a
+};
+static const unsigned char aes_192_no_df_pr_nonce[] = {
+ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
+ 0x61, 0x5c, 0xee, 0x0f
+};
+static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
+ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
+ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
+ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
+ 0x57, 0x2e, 0xe7, 0x55
+};
+static const unsigned char aes_192_no_df_pr_additionalinput[] = {
+ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
+ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
+ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
+ 0xe2, 0xd0, 0x0c, 0x2f
+};
+static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
+ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
+ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
+ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
+ 0x1d, 0x30, 0xb3, 0x78
+};
+static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
+ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
+ 0x7e, 0x3e, 0x0c, 0x26
+};
+static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
+ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
+ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
+ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
+ 0x0c, 0x4b, 0xee, 0x6e
+};
+static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
+ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
+ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
+ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
+ 0x8e, 0x0a, 0x83, 0xdf
+};
+static const unsigned char aes_192_no_df_pr_returnedbits[] = {
+ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
+ 0xb9, 0xa1, 0x21, 0x68
+};
+
+
+/*
+ * AES-192 no df no PR
+ */
+static const unsigned char aes_192_no_df_entropyinput[] = {
+ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
+ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
+ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
+ 0x94, 0xc3, 0x59, 0x63
+};
+static const unsigned char aes_192_no_df_nonce[] = {
+ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
+ 0x29, 0xfd, 0x45, 0x71
+};
+static const unsigned char aes_192_no_df_personalizationstring[] = {
+ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
+ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
+ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
+ 0x3b, 0x88, 0xce, 0x35
+};
+static const unsigned char aes_192_no_df_additionalinput[] = {
+ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
+ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
+ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
+ 0x3e, 0xbe, 0xd4, 0x8e
+};
+static const unsigned char aes_192_no_df_int_returnedbits[] = {
+ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
+ 0x45, 0xe7, 0x4a, 0xc5
+};
+static const unsigned char aes_192_no_df_entropyinputreseed[] = {
+ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
+ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
+ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
+ 0x9b, 0xcb, 0x7e, 0x75
+};
+static const unsigned char aes_192_no_df_additionalinputreseed[] = {
+ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
+ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
+ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
+ 0x5d, 0x7a, 0x25, 0x79
+};
+static const unsigned char aes_192_no_df_additionalinput2[] = {
+ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
+ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
+ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
+ 0x91, 0x6a, 0xe3, 0x5f
+};
+static const unsigned char aes_192_no_df_returnedbits[] = {
+ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
+ 0x66, 0x67, 0x2c, 0x92
+};
+
+
+/*
+ * AES-256 no df PR
+ */
+static const unsigned char aes_256_no_df_pr_entropyinput[] = {
+ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
+ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
+ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
+ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c,
+};
+static const unsigned char aes_256_no_df_pr_nonce[] = {
+ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
+ 0xcc, 0x4b, 0xee, 0x2e
+};
+static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
+ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
+ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
+ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
+ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06,
+};
+static const unsigned char aes_256_no_df_pr_additionalinput[] = {
+ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
+ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
+ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
+ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e,
+};
+static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
+ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
+ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
+ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
+ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f,
+};
+static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
+ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
+ 0x79, 0x60, 0x93, 0xcf
+};
+static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
+ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
+ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
+ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
+ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb,
+};
+static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
+ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
+ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
+ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
+ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f,
+};
+static const unsigned char aes_256_no_df_pr_returnedbits[] = {
+ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
+ 0x2d, 0x5f, 0x4a, 0x46
+};
+
+
+/*
+ * AES-256 no df no PR
+ */
+static const unsigned char aes_256_no_df_entropyinput[] = {
+ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
+ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
+ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
+ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3,
+};
+static const unsigned char aes_256_no_df_nonce[] = {
+ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
+ 0x43, 0x96, 0xb9, 0xf0
+};
+static const unsigned char aes_256_no_df_personalizationstring[] = {
+ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
+ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
+ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
+ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d,
+};
+static const unsigned char aes_256_no_df_additionalinput[] = {
+ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
+ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
+ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
+ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17,
+};
+static const unsigned char aes_256_no_df_int_returnedbits[] = {
+ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
+ 0xd2, 0x25, 0x75, 0x0e
+};
+static const unsigned char aes_256_no_df_entropyinputreseed[] = {
+ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
+ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
+ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
+ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb,
+};
+static const unsigned char aes_256_no_df_additionalinputreseed[] = {
+ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
+ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
+ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
+ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29,
+};
+static const unsigned char aes_256_no_df_additionalinput2[] = {
+ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
+ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
+ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
+ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6,
+};
+static const unsigned char aes_256_no_df_returnedbits[] = {
+ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
+ 0xf6, 0x02, 0x32, 0xe2
+};
Index: openssl-1.1.1g/crypto/fips/fips_post.c
===================================================================
--- openssl-1.1.1g.orig/crypto/fips/fips_post.c 2020-05-15 16:18:44.030685013 +0200
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-05-15 16:19:01.662586731 +0200
@@ -51,7 +51,6 @@
#include <openssl/crypto.h>
#include <openssl/rand.h>
-#include <openssl/fips_rand.h>
#include <openssl/err.h>
#include <openssl/bio.h>
#include <openssl/hmac.h>
Index: openssl-1.1.1g/crypto/fips/build.info
===================================================================
--- openssl-1.1.1g.orig/crypto/fips/build.info 2020-05-15 16:18:44.030685013 +0200
+++ openssl-1.1.1g/crypto/fips/build.info 2020-05-15 16:19:01.662586731 +0200
@@ -2,7 +2,7 @@ LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \
fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \
- fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+ fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
fips_dh_selftest.c fips_ers.c
Index: openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c
===================================================================
--- openssl-1.1.1g.orig/crypto/fips/fips_drbg_selftest.c 2020-05-15 16:18:44.030685013 +0200
+++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-05-15 16:19:01.666586709 +0200
@@ -774,6 +774,7 @@ int FIPS_drbg_health_check(DRBG_CTX *dct
return rv;
}
+#if 0
int FIPS_selftest_drbg(void)
{
DRBG_CTX *dctx;
@@ -798,6 +799,7 @@ int FIPS_selftest_drbg(void)
FIPS_drbg_free(dctx);
return rv;
}
+#endif
int FIPS_selftest_drbg_all(void)
{
Index: openssl-1.1.1g/crypto/fips/fips.c
===================================================================
--- openssl-1.1.1g.orig/crypto/fips/fips.c 2020-05-15 16:18:44.030685013 +0200
+++ openssl-1.1.1g/crypto/fips/fips.c 2020-05-15 16:19:01.666586709 +0200
@@ -50,7 +50,6 @@
#define _GNU_SOURCE
#include <openssl/rand.h>
-#include <openssl/fips_rand.h>
#include <openssl/err.h>
#include <openssl/bio.h>
#include <openssl/hmac.h>