openssl
/
openssl
mirror of https://github.com/openssl/openssl
1
0
Fork 0
Code Issues Releases Wiki Activity

Add DRBG random method 

Ported from the last FIPS release, with DUAL_EC and SHA1 and the
self-tests removed.  Since only AES-CTR is supported, other code
simplifications were done.  Removed the "entropy blocklen" concept.

Moved internal functions to new include/internal/rand.h.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3789)
This commit is contained in:
Rich Salz 2017-06-27 12:04:37 -04:00
parent 0299f3f790
commit 12fb8c3d2d
19 changed files with 2165 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
crypto/err/openssl.txt
View File

@ -860,9 +860,17 @@ PKCS7_F_PKCS7_SIGNER_INFO_SIGN:139:PKCS7_SIGNER_INFO_sign
PKCS7_F_PKCS7_SIGN_ADD_SIGNER:137:PKCS7_sign_add_signer
PKCS7_F_PKCS7_SIMPLE_SMIMECAP:119:PKCS7_simple_smimecap
PKCS7_F_PKCS7_VERIFY:117:PKCS7_verify
RAND_F_DRBG_BYTES:101:drbg_bytes
RAND_F_DRBG_GET_ENTROPY:105:drbg_get_entropy
RAND_F_GET_ENTROPY:106:get_entropy
RAND_F_RAND_BYTES:100:RAND_bytes
RAND_F_RAND_LOAD_FILE:101:RAND_load_file
RAND_F_RAND_WRITE_FILE:102:RAND_write_file
RAND_F_RAND_DRBG_GENERATE:107:RAND_DRBG_generate
RAND_F_RAND_DRBG_INSTANTIATE:108:RAND_DRBG_instantiate
RAND_F_RAND_DRBG_NEW:109:RAND_DRBG_new
RAND_F_RAND_DRBG_RESEED:110:RAND_DRBG_reseed
RAND_F_RAND_DRBG_SET:104:RAND_DRBG_set
RAND_F_RAND_LOAD_FILE:111:RAND_load_file
RAND_F_RAND_WRITE_FILE:112:RAND_write_file
RSA_F_CHECK_PADDING_MD:140:check_padding_md
RSA_F_ENCODE_PKCS1:146:encode_pkcs1
RSA_F_INT_RSA_VERIFY:145:int_rsa_verify
@ -2098,11 +2106,28 @@ PKCS7_R_UNSUPPORTED_CIPHER_TYPE:111:unsupported cipher type
PKCS7_R_UNSUPPORTED_CONTENT_TYPE:112:unsupported content type
PKCS7_R_WRONG_CONTENT_TYPE:113:wrong content type
PKCS7_R_WRONG_PKCS7_TYPE:114:wrong pkcs7 type
RAND_R_CANNOT_OPEN_FILE:102:Cannot open file
RAND_R_ADDITIONAL_INPUT_TOO_LONG:102:additional input too long
RAND_R_ALREADY_INSTANTIATED:103:already instantiated
RAND_R_CANNOT_OPEN_FILE:121:Cannot open file
RAND_R_DRBG_NOT_INITIALISED:104:drbg not initialised
RAND_R_ERROR_INITIALISING_DRBG:107:error initialising drbg
RAND_R_ERROR_INSTANTIATING_DRBG:108:error instantiating drbg
RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT:109:error retrieving additional input
RAND_R_ERROR_RETRIEVING_ENTROPY:110:error retrieving entropy
RAND_R_ERROR_RETRIEVING_NONCE:111:error retrieving nonce
RAND_R_FUNC_NOT_IMPLEMENTED:101:Function not implemented
RAND_R_FWRITE_ERROR:103:Error writing file
RAND_R_NOT_A_REGULAR_FILE:104:Not a regular file
RAND_R_FWRITE_ERROR:123:Error writing file
RAND_R_GENERATE_ERROR:112:generate error
RAND_R_INTERNAL_ERROR:113:internal error
RAND_R_IN_ERROR_STATE:114:in error state
RAND_R_NOT_A_REGULAR_FILE:122:Not a regular file
RAND_R_NOT_INSTANTIATED:115:not instantiated
RAND_R_PERSONALISATION_STRING_TOO_LONG:116:personalisation string too long
RAND_R_PRNG_NOT_SEEDED:100:PRNG not seeded
RAND_R_REQUEST_TOO_LARGE_FOR_DRBG:117:request too large for drbg
RAND_R_RESEED_ERROR:118:reseed error
RAND_R_SELFTEST_FAILURE:119:selftest failure
RAND_R_UNSUPPORTED_DRBG_TYPE:120:unsupported drbg type
RSA_R_ALGORITHM_MISMATCH:100:algorithm mismatch
RSA_R_BAD_E_VALUE:101:bad e value
RSA_R_BAD_FIXED_HEADER_DECRYPT:102:bad fixed header decrypt

2
crypto/rand/build.info
View File

@ -1,4 +1,4 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
ossl_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c \
rand_win.c rand_unix.c rand_vms.c
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_rand.c

349
crypto/rand/drbg_lib.c Normal file
View File

@ -0,0 +1,349 @@
/*
* Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include "rand_lcl.h"
/*
* Support framework for NIST SP 800-90A DRBG, AES-CTR mode.
*/
/*
* Get entropy from the existing callback. This is mainly used for KATs.
*/
static size_t get_entropy(DRBG_CTX *dctx, unsigned char **pout,
int entropy, size_t min_len, size_t max_len)
{
if (dctx->get_entropy != NULL)
return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
/* TODO: Get from parent if it exists. */
return 0;
}
/*
* Cleanup entropy.
*/
static void cleanup_entropy(DRBG_CTX *dctx, unsigned char *out, size_t olen)
{
if (dctx->cleanup_entropy != NULL)
dctx->cleanup_entropy(dctx, out, olen);
}
/*
* The OpenSSL model is to have new and free functions, and that new
* does all initialization. That is not the NIST model, which has
* instantiation and un-instantiate, and re-use within a new/free
* lifecycle. (No doubt this comes from the desire to support hardware
* DRBG, where allocation of resources on something like an HSM is
* a much bigger deal than just re-setting an allocated resource.)
*
* The DRBG_CTX is OpenSSL's opaque pointer to an instance of the
* DRBG.
*/
/*
* Set/initialize |dctx| to be of type |nid|, with optional |flags|.
* Return -2 if the type is not supported, 1 on success and -1 on
* failure.
*/
int RAND_DRBG_set(DRBG_CTX *dctx, int nid, unsigned int flags)
{
int ret = 1;
dctx->status = DRBG_STATUS_UNINITIALISED;
dctx->flags = flags;
dctx->nid = nid;
switch (nid) {
default:
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
return -2;
case 0:
/* Uninitialized; that's okay. */
return 1;
case NID_aes_128_ctr:
case NID_aes_192_ctr:
case NID_aes_256_ctr:
ret = ctr_init(dctx);
break;
}
if (ret < 0)
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG);
return ret;
}
/*
* Allocate memory and initialize a new DRBG. The |parent|, if not
* NULL, will be used to auto-seed this DRBG_CTX as needed.
*/
DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent)
{
DRBG_CTX *dctx = OPENSSL_zalloc(sizeof(*dctx));
if (dctx == NULL) {
RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
dctx->parent = parent;
if (RAND_DRBG_set(dctx, type, flags) < 0) {
OPENSSL_free(dctx);
return NULL;
}
return dctx;
}
/*
* Uninstantiate |dctx| and free all memory.
*/
void RAND_DRBG_free(DRBG_CTX *dctx)
{
if (dctx == NULL)
return;
ctr_uninstantiate(dctx);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, dctx, &dctx->ex_data);
/* Don't free up default DRBG */
if (dctx == RAND_DRBG_get_default()) {
memset(dctx, 0, sizeof(DRBG_CTX));
dctx->nid = 0;
dctx->status = DRBG_STATUS_UNINITIALISED;
} else {
OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr));
OPENSSL_free(dctx);
}
}
/*
* Instantiate |dctx|, after it has been initialized. Use |pers| and
* |perslen| as prediction-resistance input.
*/
int RAND_DRBG_instantiate(DRBG_CTX *dctx,
const unsigned char *pers, size_t perslen)
{
size_t entlen = 0, noncelen = 0;
unsigned char *nonce = NULL, *entropy = NULL;
int r = 0;
if (perslen > dctx->max_pers) {
r = RAND_R_PERSONALISATION_STRING_TOO_LONG;
goto end;
}
if (dctx->status != DRBG_STATUS_UNINITIALISED) {
r = dctx->status == DRBG_STATUS_ERROR ? RAND_R_IN_ERROR_STATE
: RAND_R_ALREADY_INSTANTIATED;
goto end;
}
dctx->status = DRBG_STATUS_ERROR;
entlen = get_entropy(dctx, &entropy, dctx->strength,
dctx->min_entropy, dctx->max_entropy);
if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
r = RAND_R_ERROR_RETRIEVING_ENTROPY;
goto end;
}
if (dctx->max_nonce > 0 && dctx->get_nonce != NULL) {
noncelen = dctx->get_nonce(dctx, &nonce,
dctx->strength / 2,
dctx->min_nonce, dctx->max_nonce);
if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
r = RAND_R_ERROR_RETRIEVING_NONCE;
goto end;
}
}
if (!ctr_instantiate(dctx, entropy, entlen,
nonce, noncelen, pers, perslen)) {
r = RAND_R_ERROR_INSTANTIATING_DRBG;
goto end;
}
dctx->status = DRBG_STATUS_READY;
dctx->reseed_counter = 1;
end:
if (entropy != NULL && dctx->cleanup_entropy != NULL)
dctx->cleanup_entropy(dctx, entropy, entlen);
if (nonce != NULL && dctx->cleanup_nonce!= NULL )
dctx->cleanup_nonce(dctx, nonce, noncelen);
if (dctx->status == DRBG_STATUS_READY)
return 1;
if (r)
RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, r);
return 0;
}
/*
* Uninstantiate |dctx|. Must be instantiated before it can be used.
*/
int RAND_DRBG_uninstantiate(DRBG_CTX *dctx)
{
int ret = ctr_uninstantiate(dctx);
OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr));
dctx->status = DRBG_STATUS_UNINITIALISED;
return ret;
}
/*
* Mix in the specified data to reseed |dctx|.
*/
int RAND_DRBG_reseed(DRBG_CTX *dctx,
const unsigned char *adin, size_t adinlen)
{
unsigned char *entropy = NULL;
size_t entlen = 0;
int r = 0;
if (dctx->status != DRBG_STATUS_READY
&& dctx->status != DRBG_STATUS_RESEED) {
if (dctx->status == DRBG_STATUS_ERROR)
r = RAND_R_IN_ERROR_STATE;
else if (dctx->status == DRBG_STATUS_UNINITIALISED)
r = RAND_R_NOT_INSTANTIATED;
goto end;
}
if (adin == NULL)
adinlen = 0;
else if (adinlen > dctx->max_adin) {
r = RAND_R_ADDITIONAL_INPUT_TOO_LONG;
goto end;
}
dctx->status = DRBG_STATUS_ERROR;
entlen = get_entropy(dctx, &entropy, dctx->strength,
dctx->min_entropy, dctx->max_entropy);
if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
r = RAND_R_ERROR_RETRIEVING_ENTROPY;
goto end;
}
if (!ctr_reseed(dctx, entropy, entlen, adin, adinlen))
goto end;
dctx->status = DRBG_STATUS_READY;
dctx->reseed_counter = 1;
end:
if (entropy != NULL && dctx->cleanup_entropy != NULL)
cleanup_entropy(dctx, entropy, entlen);
if (dctx->status == DRBG_STATUS_READY)
return 1;
if (r)
RANDerr(RAND_F_RAND_DRBG_RESEED, r);
return 0;
}
/*
* Generate |outlen| bytes into the buffer at |out|. Reseed if we need
* to or if |prediction_resistance| is set. Additional input can be
* sent in |adin| and |adinlen|.
*/
int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
int prediction_resistance,
const unsigned char *adin, size_t adinlen)
{
int r = 0;
if (dctx->status != DRBG_STATUS_READY
&& dctx->status != DRBG_STATUS_RESEED) {
if (dctx->status == DRBG_STATUS_ERROR)
r = RAND_R_IN_ERROR_STATE;
else if(dctx->status == DRBG_STATUS_UNINITIALISED)
r = RAND_R_NOT_INSTANTIATED;
goto end;
}
if (outlen > dctx->max_request) {
r = RAND_R_REQUEST_TOO_LARGE_FOR_DRBG;
return 0;
}
if (adinlen > dctx->max_adin) {
r = RAND_R_ADDITIONAL_INPUT_TOO_LONG;
goto end;
}
if (dctx->reseed_counter >= dctx->reseed_interval)
dctx->status = DRBG_STATUS_RESEED;
if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
if (!RAND_DRBG_reseed(dctx, adin, adinlen)) {
r = RAND_R_RESEED_ERROR;
goto end;
}
adin = NULL;
adinlen = 0;
}
if (!ctr_generate(dctx, out, outlen, adin, adinlen)) {
r = RAND_R_GENERATE_ERROR;
dctx->status = DRBG_STATUS_ERROR;
goto end;
}
if (dctx->reseed_counter >= dctx->reseed_interval)
dctx->status = DRBG_STATUS_RESEED;
else
dctx->reseed_counter++;
return 1;
end:
RANDerr(RAND_F_RAND_DRBG_GENERATE, r);
return 0;
}
/*
* Set the callbacks for entropy and nonce. Used mainly for the KATs
*/
int RAND_DRBG_set_callbacks(DRBG_CTX *dctx,
size_t (*cb_get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
int entropy, size_t min_len, size_t max_len),
void (*cb_cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
size_t (*cb_get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
int entropy, size_t min_len, size_t max_len),
void (*cb_cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
{
if (dctx->status != DRBG_STATUS_UNINITIALISED)
return 0;
dctx->get_entropy = cb_get_entropy;
dctx->cleanup_entropy = cb_cleanup_entropy;
dctx->get_nonce = cb_get_nonce;
dctx->cleanup_nonce = cb_cleanup_nonce;
return 1;
}
/*
* Set the reseed internal. Used mainly for the KATs.
*/
void RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval)
{
dctx->reseed_interval = interval;
}
/*
* Get and set the EXDATA
*/
int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg)
{
return CRYPTO_set_ex_data(&dctx->ex_data, idx, arg);
}
void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx)
{
return CRYPTO_get_ex_data(&dctx->ex_data, idx);
}

449
crypto/rand/drbg_rand.c Normal file
View File

@ -0,0 +1,449 @@
/*
* Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdlib.h>
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include "rand_lcl.h"
#include "internal/thread_once.h"
/*
* Mapping of NIST SP 800-90A DRBG to OpenSSL RAND_METHOD.
*/
/*
* The default global DRBG and its auto-init/auto-cleanup.
*/
static DRBG_CTX ossl_drbg;
static CRYPTO_ONCE ossl_drbg_init = CRYPTO_ONCE_STATIC_INIT;
DEFINE_RUN_ONCE_STATIC(do_ossl_drbg_init)
{
ossl_drbg.lock = CRYPTO_THREAD_lock_new();
return ossl_drbg.lock != NULL;
}
void rand_drbg_cleanup(void)
{
CRYPTO_THREAD_lock_free(ossl_drbg.lock);
}
static void inc_128(DRBG_CTR_CTX *cctx)
{
int i;
unsigned char c;
unsigned char *p = &cctx->V[15];
for (i = 0; i < 16; i++, p--) {
c = *p;
c++;
*p = c;
if (c != 0) {
/* If we didn't wrap around, we're done. */
break;
}
}
}
static void ctr_XOR(DRBG_CTR_CTX *cctx, const unsigned char *in, size_t inlen)
{
size_t i, n;
if (in == NULL || inlen == 0)
return;
/*
* Any zero padding will have no effect on the result as we
* are XORing. So just process however much input we have.
*/
n = inlen < cctx->keylen ? inlen : cctx->keylen;
for (i = 0; i < n; i++)
cctx->K[i] ^= in[i];
if (inlen <= cctx->keylen)
return;
n = inlen - cctx->keylen;
if (n > 16) {
/* Should never happen */
n = 16;
}
for (i = 0; i < 16; i++)
cctx->V[i] ^= in[i + cctx->keylen];
}
/*
* Process a complete block using BCC algorithm of SP 800-90A 10.3.3
*/
static void ctr_BCC_block(DRBG_CTR_CTX *cctx, unsigned char *out,
const unsigned char *in)
{
int i;
for (i = 0; i < 16; i++)
out[i] ^= in[i];
AES_encrypt(out, out, &cctx->df_ks);
}
/*
* Handle several BCC operations for as much data as we need for K and X
*/
static void ctr_BCC_blocks(DRBG_CTR_CTX *cctx, const unsigned char *in)
{
ctr_BCC_block(cctx, cctx->KX, in);
ctr_BCC_block(cctx, cctx->KX + 16, in);
if (cctx->keylen != 16)
ctr_BCC_block(cctx, cctx->KX + 32, in);
}
/*
* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
* see 10.3.1 stage 7.
*/
static void ctr_BCC_init(DRBG_CTR_CTX *cctx)
{
memset(cctx->KX, 0, 48);
memset(cctx->bltmp, 0, 16);
ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
cctx->bltmp[3] = 1;
ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
if (cctx->keylen != 16) {
cctx->bltmp[3] = 2;
ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
}
}
/*
* Process several blocks into BCC algorithm, some possibly partial
*/
static void ctr_BCC_update(DRBG_CTR_CTX *cctx,
const unsigned char *in, size_t inlen)
{
if (in == NULL || inlen == 0)
return;
/* If we have partial block handle it first */
if (cctx->bltmp_pos) {
size_t left = 16 - cctx->bltmp_pos;
/* If we now have a complete block process it */
if (inlen >= left) {
memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
ctr_BCC_blocks(cctx, cctx->bltmp);
cctx->bltmp_pos = 0;
inlen -= left;
in += left;
}
}
/* Process zero or more complete blocks */
for (; inlen >= 16; in += 16, inlen -= 16) {
ctr_BCC_blocks(cctx, in);
}
/* Copy any remaining partial block to the temporary buffer */
if (inlen > 0) {
memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
cctx->bltmp_pos += inlen;
}
}
static void ctr_BCC_final(DRBG_CTR_CTX *cctx)
{
if (cctx->bltmp_pos) {
memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
ctr_BCC_blocks(cctx, cctx->bltmp);
}
}
static void ctr_df(DRBG_CTR_CTX *cctx,
const unsigned char *in1, size_t in1len,
const unsigned char *in2, size_t in2len,
const unsigned char *in3, size_t in3len)
{
static unsigned char c80 = 0x80;
size_t inlen;
unsigned char *p = cctx->bltmp;
ctr_BCC_init(cctx);
if (in1 == NULL)
in1len = 0;
if (in2 == NULL)
in2len = 0;
if (in3 == NULL)
in3len = 0;
inlen = in1len + in2len + in3len;
/* Initialise L||N in temporary block */
*p++ = (inlen >> 24) & 0xff;
*p++ = (inlen >> 16) & 0xff;
*p++ = (inlen >> 8) & 0xff;
*p++ = inlen & 0xff;
/* NB keylen is at most 32 bytes */
*p++ = 0;
*p++ = 0;
*p++ = 0;
*p = (unsigned char)((cctx->keylen + 16) & 0xff);
cctx->bltmp_pos = 8;
ctr_BCC_update(cctx, in1, in1len);
ctr_BCC_update(cctx, in2, in2len);
ctr_BCC_update(cctx, in3, in3len);
ctr_BCC_update(cctx, &c80, 1);
ctr_BCC_final(cctx);
/* Set up key K */
AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
/* X follows key K */
AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
if (cctx->keylen != 16)
AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
}
/*
* NB the no-df Update in SP800-90A specifies a constant input length
* of seedlen, however other uses of this algorithm pad the input with
* zeroes if necessary and have up to two parameters XORed together,
* handle both cases in this function instead.
*/
static void ctr_update(DRBG_CTX *dctx,
const unsigned char *in1, size_t in1len,
const unsigned char *in2, size_t in2len,
const unsigned char *nonce, size_t noncelen)
{
DRBG_CTR_CTX *cctx = &dctx->ctr;
/* ks is already setup for correct key */
inc_128(cctx);
AES_encrypt(cctx->V, cctx->K, &cctx->ks);
/* If keylen longer than 128 bits need extra encrypt */
if (cctx->keylen != 16) {
inc_128(cctx);
AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
}
inc_128(cctx);
AES_encrypt(cctx->V, cctx->V, &cctx->ks);
/* If 192 bit key part of V is on end of K */
if (cctx->keylen == 24) {
memcpy(cctx->V + 8, cctx->V, 8);
memcpy(cctx->V, cctx->K + 24, 8);
}
if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
/* If no input reuse existing derived value */
if (in1 != NULL || nonce != NULL || in2 != NULL)
ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
/* If this a reuse input in1len != 0 */
if (in1len)
ctr_XOR(cctx, cctx->KX, dctx->seedlen);
} else {
ctr_XOR(cctx, in1, in1len);
ctr_XOR(cctx, in2, in2len);
}
AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
}
int ctr_instantiate(DRBG_CTX *dctx,
const unsigned char *ent, size_t entlen,
const unsigned char *nonce, size_t noncelen,
const unsigned char *pers, size_t perslen)
{
DRBG_CTR_CTX *cctx = &dctx->ctr;
memset(cctx->K, 0, sizeof(cctx->K));
memset(cctx->V, 0, sizeof(cctx->V));
AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
ctr_update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
return 1;
}
int ctr_reseed(DRBG_CTX *dctx,
const unsigned char *ent, size_t entlen,
const unsigned char *adin, size_t adinlen)
{
ctr_update(dctx, ent, entlen, adin, adinlen, NULL, 0);
return 1;
}
int ctr_generate(DRBG_CTX *dctx,
unsigned char *out, size_t outlen,
const unsigned char *adin, size_t adinlen)
{
DRBG_CTR_CTX *cctx = &dctx->ctr;
if (adin != NULL && adinlen != 0) {
ctr_update(dctx, adin, adinlen, NULL, 0, NULL, 0);
/* This means we reuse derived value */
if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
adin = NULL;
adinlen = 1;
}
} else {
adinlen = 0;
}
for ( ; ; ) {
inc_128(cctx);
if (outlen < 16) {
/* Use K as temp space as it will be updated */
AES_encrypt(cctx->V, cctx->K, &cctx->ks);
memcpy(out, cctx->K, outlen);
break;
}
AES_encrypt(cctx->V, out, &cctx->ks);
out += 16;
outlen -= 16;
if (outlen == 0)
break;
}
ctr_update(dctx, adin, adinlen, NULL, 0, NULL, 0);
return 1;
}
int ctr_uninstantiate(DRBG_CTX *dctx)
{
memset(&dctx->ctr, 0, sizeof(dctx->ctr));
return 1;
}
int ctr_init(DRBG_CTX *dctx)
{
DRBG_CTR_CTX *cctx = &dctx->ctr;
size_t keylen;
switch (dctx->nid) {
default:
/* This can't happen, but silence the compiler warning. */
return -1;
case NID_aes_128_ctr:
keylen = 16;
break;
case NID_aes_192_ctr:
keylen = 24;
break;
case NID_aes_256_ctr:
keylen = 32;
break;
}
cctx->keylen = keylen;
dctx->strength = keylen * 8;
dctx->blocklength = 16;
dctx->seedlen = keylen + 16;
if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) {
/* df initialisation */
static unsigned char df_key[32] = {
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
};
/* Set key schedule for df_key */
AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
dctx->min_entropy = cctx->keylen;
dctx->max_entropy = DRBG_MAX_LENGTH;
dctx->min_nonce = dctx->min_entropy / 2;
dctx->max_nonce = DRBG_MAX_LENGTH;
dctx->max_pers = DRBG_MAX_LENGTH;
dctx->max_adin = DRBG_MAX_LENGTH;
} else {
dctx->min_entropy = dctx->seedlen;
dctx->max_entropy = dctx->seedlen;
/* Nonce not used */
dctx->min_nonce = 0;
dctx->max_nonce = 0;
dctx->max_pers = dctx->seedlen;
dctx->max_adin = dctx->seedlen;
}
dctx->max_request = 1 << 16;
dctx->reseed_interval = 1 << 24;
return 1;
}
/*
* The following function tie the DRBG code into the RAND_METHOD
*/
DRBG_CTX *RAND_DRBG_get_default(void)
{
if (!RUN_ONCE(&ossl_drbg_init, do_ossl_drbg_init))
return NULL;
return &ossl_drbg;
}
static int drbg_bytes(unsigned char *out, int count)
{
DRBG_CTX *dctx = RAND_DRBG_get_default();
int ret = 0;
CRYPTO_THREAD_write_lock(dctx->lock);
do {
size_t rcnt;
if (count > (int)dctx->max_request)
rcnt = dctx->max_request;
else
rcnt = count;
ret = RAND_DRBG_generate(dctx, out, rcnt, 0, NULL, 0);
if (!ret)
goto err;
out += rcnt;
count -= rcnt;
} while (count);
ret = 1;
err:
CRYPTO_THREAD_unlock(dctx->lock);
return ret;
}
static int drbg_status(void)
{
DRBG_CTX *dctx = RAND_DRBG_get_default();
int ret;
CRYPTO_THREAD_write_lock(dctx->lock);
ret = dctx->status == DRBG_STATUS_READY ? 1 : 0;
CRYPTO_THREAD_unlock(dctx->lock);
return ret;
}
static void drbg_cleanup(void)
{
DRBG_CTX *dctx = RAND_DRBG_get_default();
CRYPTO_THREAD_write_lock(dctx->lock);
RAND_DRBG_uninstantiate(dctx);
CRYPTO_THREAD_unlock(dctx->lock);
}
static const RAND_METHOD rand_drbg_meth =
{
NULL,
drbg_bytes,
drbg_cleanup,
NULL,
drbg_bytes,
drbg_status
};
const RAND_METHOD *RAND_drbg(void)
{
return &rand_drbg_meth;
}

52
crypto/rand/ossl_rand.c
View File

@ -38,8 +38,8 @@ typedef struct ossl_rand_state_st OSSL_RAND_STATE;
struct ossl_rand_state_st {
size_t num;
size_t index;
unsigned char state[STATE_SIZE + RAND_DIGEST_LENGTH];
unsigned char md[RAND_DIGEST_LENGTH];
unsigned char state[STATE_SIZE + SHA_DIGEST_LENGTH];
unsigned char md[SHA_DIGEST_LENGTH];
long md_count[2];
};
@ -103,7 +103,7 @@ static int rand_add(const void *buf, int num, double add)
{
int i, j, k, st_idx;
long md_c[2];
unsigned char local_md[RAND_DIGEST_LENGTH];
unsigned char local_md[SHA_DIGEST_LENGTH];
EVP_MD_CTX *m;
int do_not_lock;
int rv = 0;
@ -178,18 +178,18 @@ static int rand_add(const void *buf, int num, double add)
* will use now, but other threads may use them as well
*/
sp->md_count[1] += (num / RAND_DIGEST_LENGTH) + (num % RAND_DIGEST_LENGTH > 0);
sp->md_count[1] += (num / SHA_DIGEST_LENGTH) + (num % SHA_DIGEST_LENGTH > 0);
if (!do_not_lock)
CRYPTO_THREAD_unlock(rand_lock);
for (i = 0; i < num; i += RAND_DIGEST_LENGTH) {
for (i = 0; i < num; i += SHA_DIGEST_LENGTH) {
j = (num - i);
j = (j > RAND_DIGEST_LENGTH) ? RAND_DIGEST_LENGTH : j;
j = (j > SHA_DIGEST_LENGTH) ? SHA_DIGEST_LENGTH : j;
if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL))
if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL))
goto err;
if (!EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH))
if (!EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH))
goto err;
k = (st_idx + j) - STATE_SIZE;
if (k > 0) {
@ -268,7 +268,7 @@ static int rand_bytes(unsigned char *buf, int num)
size_t num_ceil, st_idx, st_num;
int ok;
long md_c[2];
unsigned char local_md[RAND_DIGEST_LENGTH];
unsigned char local_md[SHA_DIGEST_LENGTH];
EVP_MD_CTX *m;
OSSL_RAND_STATE *sp = &global_state;
#ifndef GETPID_IS_MEANINGLESS
@ -314,9 +314,9 @@ static int rand_bytes(unsigned char *buf, int num)
if (m == NULL)
goto err_mem;
/* round upwards to multiple of RAND_DIGEST_LENGTH/2 */
/* round upwards to multiple of SHA_DIGEST_LENGTH/2 */
num_ceil =
(1 + (num - 1) / (RAND_DIGEST_LENGTH / 2)) * (RAND_DIGEST_LENGTH / 2);
(1 + (num - 1) / (SHA_DIGEST_LENGTH / 2)) * (SHA_DIGEST_LENGTH / 2);
/*
* (Based on the rand(3) manpage:)
@ -389,16 +389,16 @@ static int rand_bytes(unsigned char *buf, int num)
int n = STATE_SIZE; /* so that the complete pool gets accessed */
while (n > 0) {
#if RAND_DIGEST_LENGTH > 20
#if SHA_DIGEST_LENGTH > 20
# error "Please adjust DUMMY_SEED."
#endif
#define DUMMY_SEED "...................." /* at least RAND_DIGEST_LENGTH */
#define DUMMY_SEED "...................." /* at least SHA_DIGEST_LENGTH */
/*
* Note that the seed does not matter, it's just that
* rand_add expects to have something to hash.
*/
rand_add(DUMMY_SEED, RAND_DIGEST_LENGTH, 0.0);
n -= RAND_DIGEST_LENGTH;
rand_add(DUMMY_SEED, SHA_DIGEST_LENGTH, 0.0);
n -= SHA_DIGEST_LENGTH;
}
if (ok)
stirred_pool = 1;
@ -427,10 +427,10 @@ static int rand_bytes(unsigned char *buf, int num)
CRYPTO_THREAD_unlock(rand_lock);
while (num > 0) {
/* num_ceil -= RAND_DIGEST_LENGTH / 2 */
j = (num >= RAND_DIGEST_LENGTH / 2) ? RAND_DIGEST_LENGTH / 2 : num;
/* num_ceil -= SHA_DIGEST_LENGTH / 2 */
j = (num >= SHA_DIGEST_LENGTH / 2) ? SHA_DIGEST_LENGTH / 2 : num;
num -= j;
if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL))
if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL))
goto err;
#ifndef GETPID_IS_MEANINGLESS
if (curr_pid) { /* just in the first iteration to save time */
@ -448,35 +448,35 @@ static int rand_bytes(unsigned char *buf, int num)
if (!rand_hw_seed(m))
goto err;
}
if (!EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH))
if (!EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH))
goto err;
if (!EVP_DigestUpdate(m, (unsigned char *)md_c, sizeof(md_c)))
goto err;
k = (st_idx + RAND_DIGEST_LENGTH / 2) - st_num;
k = (st_idx + SHA_DIGEST_LENGTH / 2) - st_num;
if (k > 0) {
if (!EVP_DigestUpdate(m, &sp->state[st_idx], RAND_DIGEST_LENGTH / 2 - k))
if (!EVP_DigestUpdate(m, &sp->state[st_idx], SHA_DIGEST_LENGTH / 2 - k))
goto err;
if (!EVP_DigestUpdate(m, &sp->state[0], k))
goto err;
} else if (!EVP_DigestUpdate(m, &sp->state[st_idx], RAND_DIGEST_LENGTH / 2))
} else if (!EVP_DigestUpdate(m, &sp->state[st_idx], SHA_DIGEST_LENGTH / 2))
goto err;
if (!EVP_DigestFinal_ex(m, local_md, NULL))
goto err;
for (i = 0; i < RAND_DIGEST_LENGTH / 2; i++) {
for (i = 0; i < SHA_DIGEST_LENGTH / 2; i++) {
/* may compete with other threads */
sp->state[st_idx++] ^= local_md[i];
if (st_idx >= st_num)
st_idx = 0;
if (i < j)
*(buf++) = local_md[i + RAND_DIGEST_LENGTH / 2];
*(buf++) = local_md[i + SHA_DIGEST_LENGTH / 2];
}
}
if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL)
if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL)
|| !EVP_DigestUpdate(m, (unsigned char *)md_c, sizeof(md_c))
|| !EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH))
|| !EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH))
goto err;
CRYPTO_THREAD_write_lock(rand_lock);
/*

38
crypto/rand/rand_err.c
View File

@ -14,20 +14,58 @@
#ifndef OPENSSL_NO_ERR
static const ERR_STRING_DATA RAND_str_functs[] = {
{ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_BYTES, 0), "drbg_bytes"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_GET_ENTROPY, 0), "drbg_get_entropy"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_GET_ENTROPY, 0), "get_entropy"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_BYTES, 0), "RAND_bytes"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_GENERATE, 0),
"RAND_DRBG_generate"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_INSTANTIATE, 0),
"RAND_DRBG_instantiate"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_NEW, 0), "RAND_DRBG_new"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_RESEED, 0), "RAND_DRBG_reseed"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_SET, 0), "RAND_DRBG_set"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_LOAD_FILE, 0), "RAND_load_file"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_WRITE_FILE, 0), "RAND_write_file"},
{0, NULL}
};
static const ERR_STRING_DATA RAND_str_reasons[] = {
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ADDITIONAL_INPUT_TOO_LONG),
"additional input too long"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ALREADY_INSTANTIATED),
"already instantiated"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_CANNOT_OPEN_FILE), "Cannot open file"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_DRBG_NOT_INITIALISED),
"drbg not initialised"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_INITIALISING_DRBG),
"error initialising drbg"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_INSTANTIATING_DRBG),
"error instantiating drbg"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT),
"error retrieving additional input"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_RETRIEVING_ENTROPY),
"error retrieving entropy"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ERROR_RETRIEVING_NONCE),
"error retrieving nonce"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_FUNC_NOT_IMPLEMENTED),
"Function not implemented"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_FWRITE_ERROR), "Error writing file"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_GENERATE_ERROR), "generate error"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_INTERNAL_ERROR), "internal error"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_IN_ERROR_STATE), "in error state"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_NOT_A_REGULAR_FILE),
"Not a regular file"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_NOT_INSTANTIATED), "not instantiated"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PERSONALISATION_STRING_TOO_LONG),
"personalisation string too long"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PRNG_NOT_SEEDED), "PRNG not seeded"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_REQUEST_TOO_LARGE_FOR_DRBG),
"request too large for drbg"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_RESEED_ERROR), "reseed error"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_SELFTEST_FAILURE), "selftest failure"},
{ERR_PACK(ERR_LIB_RAND, 0, RAND_R_UNSUPPORTED_DRBG_TYPE),
"unsupported drbg type"},
{0, NULL}
};

86
crypto/rand/rand_lcl.h
View File

@ -10,15 +10,93 @@
#ifndef HEADER_RAND_LCL_H
# define HEADER_RAND_LCL_H
# include <openssl/aes.h>
# include <openssl/evp.h>
# include <openssl/sha.h>
# include <openssl/hmac.h>
# include <openssl/ec.h>
# include "include/internal/rand.h"
/* we require 256 bits of randomness */
# define RANDOMNESS_NEEDED (256 / 8)
# include <openssl/evp.h>
# include <openssl/sha.h>
/* DRBG status values */
#define DRBG_STATUS_UNINITIALISED 0
#define DRBG_STATUS_READY 1
#define DRBG_STATUS_RESEED 2
#define DRBG_STATUS_ERROR 3
/* A default maximum length: larger than any reasonable value used in pratice */
#define DRBG_MAX_LENGTH 0x7ffffff0
typedef struct drbg_ctr_ctx_st {
AES_KEY ks;
size_t keylen;
unsigned char K[32];
unsigned char V[16];
/* Temp variables used by derivation function */
AES_KEY df_ks;
AES_KEY df_kxks;
/* Temporary block storage used by ctr_df */
unsigned char bltmp[16];
size_t bltmp_pos;
unsigned char KX[48];
} DRBG_CTR_CTX;
struct drbg_ctx_st {
CRYPTO_RWLOCK *lock;
DRBG_CTX *parent;
int nid; /* the NID of the underlying algorithm */
unsigned int flags; /* various external flags */
/* The following parameters are setup by mechanism drbg_init() call */
int strength;
size_t blocklength;
size_t max_request;
size_t min_entropy, max_entropy;
size_t min_nonce, max_nonce;
size_t max_pers, max_adin;
unsigned int reseed_counter;
unsigned int reseed_interval;
size_t seedlen;
int status;
/* Application data: typically (only?) used by test get_entropy */
CRYPTO_EX_DATA ex_data;
/* Implementation specific structures */
DRBG_CTR_CTX ctr;
/* entropy gathering function */
size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
int entropy, size_t min_len, size_t max_len);
/* Indicates we have finished with entropy buffer */
void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
/* nonce gathering function */
size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
int entropy, size_t min_len, size_t max_len);
/* Indicates we have finished with nonce buffer */
void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
};
# define RAND_DIGEST EVP_sha1()
# define RAND_DIGEST_LENGTH SHA_DIGEST_LENGTH
extern RAND_METHOD openssl_rand_meth;
void rand_drbg_cleanup(void);
int ctr_init(DRBG_CTX *dctx);
int drbg_hash_init(DRBG_CTX *dctx);
int drbg_hmac_init(DRBG_CTX *dctx);
int ctr_uninstantiate(DRBG_CTX *dctx);
int ctr_instantiate(DRBG_CTX *dctx,
const unsigned char *ent, size_t entlen,
const unsigned char *nonce, size_t noncelen,
const unsigned char *pers, size_t perslen);
int ctr_reseed(DRBG_CTX *dctx,
const unsigned char *ent, size_t entlen,
const unsigned char *adin, size_t adinlen);
int ctr_generate(DRBG_CTX *dctx,
unsigned char *out, size_t outlen,
const unsigned char *adin, size_t adinlen);
#endif

1
crypto/rand/rand_lib.c
View File

@ -49,6 +49,7 @@ void rand_cleanup_int(void)
CRYPTO_THREAD_lock_free(rand_engine_lock);
#endif
CRYPTO_THREAD_lock_free(rand_meth_lock);
rand_drbg_cleanup();
}
int RAND_set_rand_method(const RAND_METHOD *meth)

50
include/internal/rand.h Normal file
View File

@ -0,0 +1,50 @@
/*
* Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_DRBG_RAND_H
# define HEADER_DRBG_RAND_H
/* Flag for CTR mode only: use derivation function ctr_df */
#define RAND_DRBG_FLAG_CTR_USE_DF 0x2
const RAND_METHOD *RAND_drbg(void);
int RAND_DRBG_set(DRBG_CTX *ctx, int type, unsigned int flags);
DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent);
int RAND_DRBG_instantiate(DRBG_CTX *dctx,
const unsigned char *pers, size_t perslen);
int RAND_DRBG_uninstantiate(DRBG_CTX *dctx);
int RAND_DRBG_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
int prediction_resistance,
const unsigned char *adin, size_t adinlen);
void RAND_DRBG_free(DRBG_CTX *dctx);
int RAND_DRBG_set_callbacks(DRBG_CTX *dctx,
size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
int entropy, size_t min_len, size_t max_len),
void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
int entropy, size_t min_len, size_t max_len),
void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen)
);
void RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval);
#define RAND_DRBG_get_ex_new_index(l, p, newf, dupf, freef) \
CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DRBG, l, p, newf, dupf, freef)
int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg);
void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx);
DRBG_CTX *RAND_DRBG_get_default(void);
#endif

3
include/openssl/crypto.h
View File

@ -107,7 +107,8 @@ DEFINE_STACK_OF(void)
# define CRYPTO_EX_INDEX_BIO 12
# define CRYPTO_EX_INDEX_APP 13
# define CRYPTO_EX_INDEX_UI_METHOD 14
# define CRYPTO_EX_INDEX__COUNT 15
# define CRYPTO_EX_INDEX_DRBG 15
# define CRYPTO_EX_INDEX__COUNT 16
/*
* This is the default callbacks, but we can have others as well: this is

1
include/openssl/ossl_typ.h
View File

@ -114,6 +114,7 @@ typedef struct ec_key_st EC_KEY;
typedef struct ec_key_method_st EC_KEY_METHOD;
typedef struct rand_meth_st RAND_METHOD;
typedef struct drbg_ctx_st DRBG_CTX;
typedef struct ssl_dane_st SSL_DANE;
typedef struct x509_st X509;

19
include/openssl/rand.h
View File

@ -38,15 +38,15 @@ const RAND_METHOD *RAND_get_rand_method(void);
int RAND_set_rand_engine(ENGINE *engine);
# endif
RAND_METHOD *RAND_OpenSSL(void);
#if OPENSSL_API_COMPAT < 0x10100000L
# define RAND_cleanup() while(0) continue
#endif
# if OPENSSL_API_COMPAT < 0x10100000L
# define RAND_cleanup() while(0) continue
# endif
int RAND_bytes(unsigned char *buf, int num);
DEPRECATEDIN_1_1_0(int RAND_pseudo_bytes(unsigned char *buf, int num))
void RAND_seed(const void *buf, int num);
#if defined(__ANDROID__) && defined(__NDK_FPABI__)
# if defined(__ANDROID__) && defined(__NDK_FPABI__)
__NDK_FPABI__ /* __attribute__((pcs("aapcs"))) on ARM */
#endif
# endif
void RAND_add(const void *buf, int num, double randomness);
int RAND_load_file(const char *file, long max_bytes);
int RAND_write_file(const char *file);
@ -59,15 +59,16 @@ int RAND_egd_bytes(const char *path, int bytes);
# endif
int RAND_poll(void);
#if defined(_WIN32) && (defined(BASETYPES) || defined(_WINDEF_H))
# if defined(_WIN32) && (defined(BASETYPES) || defined(_WINDEF_H))
/* application has to include <windows.h> in order to use these */
DEPRECATEDIN_1_1_0(void RAND_screen(void))
DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM))
#endif
# endif
int ERR_load_RAND_strings(void);
# ifdef __cplusplus
#ifdef __cplusplus
}
# endif
#endif
#endif

35
include/openssl/randerr.h
View File

@ -22,17 +22,42 @@ int ERR_load_RAND_strings(void);
/*
* RAND function codes.
*/
# define RAND_F_DRBG_BYTES 101
# define RAND_F_DRBG_GET_ENTROPY 105
# define RAND_F_GET_ENTROPY 106
# define RAND_F_RAND_BYTES 100
# define RAND_F_RAND_LOAD_FILE 101
# define RAND_F_RAND_WRITE_FILE 102
# define RAND_F_RAND_DRBG_GENERATE 107
# define RAND_F_RAND_DRBG_INSTANTIATE 108
# define RAND_F_RAND_DRBG_NEW 109
# define RAND_F_RAND_DRBG_RESEED 110
# define RAND_F_RAND_DRBG_SET 104
# define RAND_F_RAND_LOAD_FILE 111
# define RAND_F_RAND_WRITE_FILE 112
/*
* RAND reason codes.
*/
# define RAND_R_CANNOT_OPEN_FILE 102
# define RAND_R_ADDITIONAL_INPUT_TOO_LONG 102
# define RAND_R_ALREADY_INSTANTIATED 103
# define RAND_R_CANNOT_OPEN_FILE 121
# define RAND_R_DRBG_NOT_INITIALISED 104
# define RAND_R_ERROR_INITIALISING_DRBG 107
# define RAND_R_ERROR_INSTANTIATING_DRBG 108
# define RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 109
# define RAND_R_ERROR_RETRIEVING_ENTROPY 110
# define RAND_R_ERROR_RETRIEVING_NONCE 111
# define RAND_R_FUNC_NOT_IMPLEMENTED 101
# define RAND_R_FWRITE_ERROR 103
# define RAND_R_NOT_A_REGULAR_FILE 104
# define RAND_R_FWRITE_ERROR 123
# define RAND_R_GENERATE_ERROR 112
# define RAND_R_INTERNAL_ERROR 113
# define RAND_R_IN_ERROR_STATE 114
# define RAND_R_NOT_A_REGULAR_FILE 122
# define RAND_R_NOT_INSTANTIATED 115
# define RAND_R_PERSONALISATION_STRING_TOO_LONG 116
# define RAND_R_PRNG_NOT_SEEDED 100
# define RAND_R_REQUEST_TOO_LARGE_FOR_DRBG 117
# define RAND_R_RESEED_ERROR 118
# define RAND_R_SELFTEST_FAILURE 119
# define RAND_R_UNSUPPORTED_DRBG_TYPE 120
#endif

7
test/build.info
View File

@ -42,7 +42,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
pkey_meth_test uitest cipherbytes_test asn1_encode_test \
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test recordlentest \
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
recordlentest drbgtest \
time_offset_test pemtest ssl_cert_table_internal_test
SOURCE[aborttest]=aborttest.c
@ -302,6 +303,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
INCLUDE[recordlentest]=../include .
DEPEND[recordlentest]=../libcrypto ../libssl libtestutil.a
SOURCE[drbgtest]=drbgtest.c
INCLUDE[drbgtest]=../include . ..
DEPEND[drbgtest]=../libcrypto libtestutil.a
SOURCE[x509_dup_cert_test]=x509_dup_cert_test.c
INCLUDE[x509_dup_cert_test]=../include
DEPEND[x509_dup_cert_test]=../libcrypto libtestutil.a

490
test/drbgtest.c Normal file
View File

@ -0,0 +1,490 @@
/*
* Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <string.h>
#include "e_os.h"
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/obj_mac.h>
#include <openssl/evp.h>
#include <openssl/aes.h>
#include "../crypto/rand/rand_lcl.h"
#include "testutil.h"
#include "drbgtest.h"
typedef struct drbg_selftest_data_st {
int post;
int nid;
unsigned int flags;
/* KAT data for no PR */
const unsigned char *ent;
size_t entlen;
const unsigned char *nonce;
size_t noncelen;
const unsigned char *pers;
size_t perslen;
const unsigned char *adin;
size_t adinlen;
const unsigned char *entreseed;
size_t entreseedlen;
const unsigned char *adinreseed;
size_t adinreseedlen;
const unsigned char *adin2;
size_t adin2len;
const unsigned char *expected;
size_t exlen;
const unsigned char *kat2;
size_t kat2len;
/* KAT data for PR */
const unsigned char *ent_pr;
size_t entlen_pr;
const unsigned char *nonce_pr;
size_t noncelen_pr;
const unsigned char *pers_pr;
size_t perslen_pr;
const unsigned char *adin_pr;
size_t adinlen_pr;
const unsigned char *entpr_pr;
size_t entprlen_pr;
const unsigned char *ading_pr;
size_t adinglen_pr;
const unsigned char *entg_pr;
size_t entglen_pr;
const unsigned char *kat_pr;
size_t katlen_pr;
const unsigned char *kat2_pr;
size_t kat2len_pr;
} DRBG_SELFTEST_DATA;
#define make_drbg_test_data(nid, flag, pr, post) {\
post, nid, flag, \
pr##_entropyinput, sizeof(pr##_entropyinput), \
pr##_nonce, sizeof(pr##_nonce), \
pr##_personalizationstring, sizeof(pr##_personalizationstring), \
pr##_additionalinput, sizeof(pr##_additionalinput), \
pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
pr##_additionalinput2, sizeof(pr##_additionalinput2), \
pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
pr##_returnedbits, sizeof(pr##_returnedbits), \
pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
pr##_pr_nonce, sizeof(pr##_pr_nonce), \
pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \
}
#define make_drbg_test_data_df(nid, pr, p) \
make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_USE_DF, pr, p)
static DRBG_SELFTEST_DATA drbg_test[] = {
make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
make_drbg_test_data (NID_aes_128_ctr, 0, aes_128_no_df, 0),
make_drbg_test_data (NID_aes_192_ctr, 0, aes_192_no_df, 0),
make_drbg_test_data (NID_aes_256_ctr, 0, aes_256_no_df, 1),
};
static int app_data_index;
/*
* Test context data, attached as appdata to the DRBG_CTX
*/
typedef struct test_ctx_st {
const unsigned char *ent;
size_t entlen;
int entcnt;
const unsigned char *nonce;
size_t noncelen;
int noncecnt;
} TEST_CTX;
static size_t kat_entropy(DRBG_CTX *dctx, unsigned char **pout,
int entropy, size_t min_len, size_t max_len)
{
TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(dctx, app_data_index);
t->entcnt++;
*pout = (unsigned char *)t->ent;
return t->entlen;
}
static size_t kat_nonce(DRBG_CTX *dctx, unsigned char **pout,
int entropy, size_t min_len, size_t max_len)
{
TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(dctx, app_data_index);
t->noncecnt++;
*pout = (unsigned char *)t->nonce;
return t->noncelen;
}
static int uninstantiate(DRBG_CTX *dctx)
{
int ret = dctx == NULL ? 1 : RAND_DRBG_uninstantiate(dctx);
ERR_clear_error();
return ret;
}
/*
* Do a single KAT test. Return 0 on failure.
*/
static int single_kat(DRBG_SELFTEST_DATA *td)
{
DRBG_CTX *dctx = NULL;
TEST_CTX t;
int failures = 0;
unsigned char buff[1024];
/*
* Test without PR: Instantiate DRBG with test entropy, nonce and
* personalisation string.
*/
if (!TEST_ptr(dctx = RAND_DRBG_new(td->nid, td->flags, NULL)))
return 0;
if (!TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL,
kat_nonce, NULL))) {
failures++;
goto err;
}
memset(&t, 0, sizeof(t));
t.ent = td->ent;
t.entlen = td->entlen;
t.nonce = td->nonce;
t.noncelen = td->noncelen;
RAND_DRBG_set_ex_data(dctx, app_data_index, &t);
if (!TEST_true(RAND_DRBG_instantiate(dctx, td->pers, td->perslen))
|| !TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_mem_eq(td->expected, td->exlen, buff, td->exlen))
failures++;
/* Reseed DRBG with test entropy and additional input */
t.ent = td->entreseed;
t.entlen = td->entreseedlen;
if (!TEST_true(RAND_DRBG_reseed(dctx, td->adinreseed, td->adinreseedlen)
|| !TEST_true(RAND_DRBG_generate(dctx, buff, td->kat2len, 0,
td->adin2, td->adin2len))
|| !TEST_mem_eq(td->kat2, td->kat2len, buff, td->kat2len)))
failures++;
uninstantiate(dctx);
/*
* Now test with PR: Instantiate DRBG with test entropy, nonce and
* personalisation string.
*/
if (!TEST_true(RAND_DRBG_set(dctx, td->nid, td->flags))
|| !TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL,
kat_nonce, NULL)))
failures++;
RAND_DRBG_set_ex_data(dctx, app_data_index, &t);
t.ent = td->ent_pr;
t.entlen = td->entlen_pr;
t.nonce = td->nonce_pr;
t.noncelen = td->noncelen_pr;
t.entcnt = 0;
t.noncecnt = 0;
if (!TEST_true(RAND_DRBG_instantiate(dctx, td->pers_pr, td->perslen_pr)))
failures++;
/*
* Now generate with PR: we need to supply entropy as this will
* perform a reseed operation.
*/
t.ent = td->entpr_pr;
t.entlen = td->entprlen_pr;
if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->katlen_pr, 1,
td->adin_pr, td->adinlen_pr))
|| !TEST_mem_eq(td->kat_pr, td->katlen_pr, buff, td->katlen_pr))
failures++;
/*
* Now generate again with PR: supply new entropy again.
*/
t.ent = td->entg_pr;
t.entlen = td->entglen_pr;
if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->kat2len_pr, 1,
td->ading_pr, td->adinglen_pr))
|| !TEST_mem_eq(td->kat2_pr, td->kat2len_pr,
buff, td->kat2len_pr))
failures++;
err:
uninstantiate(dctx);
RAND_DRBG_free(dctx);
return failures == 0;
}
/*
* Initialise a DRBG based on selftest data
*/
static int init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td, TEST_CTX *t)
{
if (!TEST_true(RAND_DRBG_set(dctx, td->nid, td->flags))
|| !TEST_true(RAND_DRBG_set_callbacks(dctx, kat_entropy, NULL,
kat_nonce, NULL)))
return 0;
RAND_DRBG_set_ex_data(dctx, app_data_index, t);
t->ent = td->ent;
t->entlen = td->entlen;
t->nonce = td->nonce;
t->noncelen = td->noncelen;
t->entcnt = 0;
t->noncecnt = 0;
return 1;
}
/*
* Initialise and instantiate DRBG based on selftest data
*/
static int instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
TEST_CTX *t)
{
if (!TEST_true(init(dctx, td, t))
|| !TEST_true(RAND_DRBG_instantiate(dctx, td->pers, td->perslen)))
return 0;
return 1;
}
/*
* Perform extensive error checking as required by SP800-90.
* Induce several failure modes and check an error condition is set.
*/
static int error_check(DRBG_SELFTEST_DATA *td)
{
static char zero[sizeof(DRBG_CTX)];
DRBG_CTX *dctx = NULL;
TEST_CTX t;
unsigned char buff[1024];
unsigned int reseed_counter_tmp;
int ret = 0;
if (!TEST_ptr(dctx = RAND_DRBG_new(0, 0, NULL)))
goto err;
/*
* Personalisation string tests
*/
/* Test detection of too large personlisation string */
if (!init(dctx, td, &t)
|| RAND_DRBG_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0)
goto err;
/*
* Entropy source tests
*/
/* Test entropy source failure detecion: i.e. returns no data */
t.entlen = 0;
if (TEST_int_le(RAND_DRBG_instantiate(dctx, td->pers, td->perslen), 0))
goto err;
/* Try to generate output from uninstantiated DRBG */
if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !uninstantiate(dctx))
goto err;
/* Test insufficient entropy */
t.entlen = dctx->min_entropy - 1;
if (!init(dctx, td, &t)
|| RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
|| !uninstantiate(dctx))
goto err;
/* Test too much entropy */
t.entlen = dctx->max_entropy + 1;
if (!init(dctx, td, &t)
|| RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
|| !uninstantiate(dctx))
goto err;
/*
* Nonce tests
*/
/* Test too small nonce */
if (dctx->min_nonce) {
t.noncelen = dctx->min_nonce - 1;
if (!init(dctx, td, &t)
|| RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
|| !uninstantiate(dctx))
goto err;
}
/* Test too large nonce */
if (dctx->max_nonce) {
t.noncelen = dctx->max_nonce + 1;
if (!init(dctx, td, &t)
|| RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
|| !uninstantiate(dctx))
goto err;
}
/* Instantiate with valid data, Check generation is now OK */
if (!instantiate(dctx, td, &t)
|| !TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
td->adin, td->adinlen)))
goto err;
/* Request too much data for one request */
if (!TEST_false(RAND_DRBG_generate(dctx, buff, dctx->max_request + 1, 0,
td->adin, td->adinlen)))
goto err;
/* Try too large additional input */
if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
td->adin, dctx->max_adin + 1)))
goto err;
/*
* Check prediction resistance request fails if entropy source
* failure.
*/
t.entlen = 0;
if (TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 1,
td->adin, td->adinlen))
|| !uninstantiate(dctx))
goto err;
/* Instantiate again with valid data */
if (!instantiate(dctx, td, &t))
goto err;
reseed_counter_tmp = dctx->reseed_counter;
dctx->reseed_counter = dctx->reseed_interval;
/* Generate output and check entropy has been requested for reseed */
t.entcnt = 0;
if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_int_eq(t.entcnt, 1)
|| !TEST_int_eq(dctx->reseed_counter, reseed_counter_tmp + 1)
|| !uninstantiate(dctx))
goto err;
/*
* Check prediction resistance request fails if entropy source
* failure.
*/
t.entlen = 0;
if (!TEST_false(RAND_DRBG_generate(dctx, buff, td->exlen, 1,
td->adin, td->adinlen))
|| !uninstantiate(dctx))
goto err;
/* Test reseed counter works */
if (!instantiate(dctx, td, &t))
goto err;
reseed_counter_tmp = dctx->reseed_counter;
dctx->reseed_counter = dctx->reseed_interval;
/* Generate output and check entropy has been requested for reseed */
t.entcnt = 0;
if (!TEST_true(RAND_DRBG_generate(dctx, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_int_eq(t.entcnt, 1)
|| !TEST_int_eq(dctx->reseed_counter, reseed_counter_tmp + 1)
|| !uninstantiate(dctx))
goto err;
/*
* Explicit reseed tests
*/
/* Test explicit reseed with too large additional input */
if (!init(dctx, td, &t)
|| RAND_DRBG_reseed(dctx, td->adin, dctx->max_adin + 1) > 0)
goto err;
/* Test explicit reseed with entropy source failure */
t.entlen = 0;
if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0)
|| !uninstantiate(dctx))
goto err;
/* Test explicit reseed with too much entropy */
if (!init(dctx, td, &t))
goto err;
t.entlen = dctx->max_entropy + 1;
if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0)
|| !uninstantiate(dctx))
goto err;
/* Test explicit reseed with too little entropy */
if (!init(dctx, td, &t))
goto err;
t.entlen = dctx->min_entropy - 1;
if (!TEST_int_le(RAND_DRBG_reseed(dctx, td->adin, td->adinlen), 0)
|| !uninstantiate(dctx))
goto err;
/* Standard says we have to check uninstantiate really zeroes */
if (!TEST_mem_eq(zero, sizeof(dctx->ctr), &dctx->ctr, sizeof(dctx->ctr)))
goto err;
ret = 1;
err:
uninstantiate(dctx);
RAND_DRBG_free(dctx);
return ret;
}
static int test_kats(int i)
{
DRBG_SELFTEST_DATA *td = &drbg_test[i];
int rv = 0;
if (!single_kat(td))
goto err;
rv = 1;
err:
return rv;
}
static int test_error_checks(int i)
{
DRBG_SELFTEST_DATA *td = &drbg_test[i];
int rv = 0;
if (error_check(td))
goto err;
rv = 1;
err:
return rv;
}
int test_main(int argc, char *argv[])
{
if (argc != 1) {
TEST_error("Usage: %s", argv[0]);
return EXIT_FAILURE;
}
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
ADD_ALL_TESTS(test_kats, OSSL_NELEM(drbg_test));
ADD_ALL_TESTS(test_error_checks, OSSL_NELEM(drbg_test));
return run_tests(argv[0]);
}

579
test/drbgtest.h Normal file
View File

@ -0,0 +1,579 @@
/*
* Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/*
* Known answer tests for SP800-90 DRBG CTR mode.
*/
/*
* AES-128 use df PR
*/
static const unsigned char aes_128_use_df_pr_entropyinput[] = {
0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
0xc8, 0xdb, 0xff, 0x12
};
static const unsigned char aes_128_use_df_pr_nonce[] = {
0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
};
static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
0xd7, 0xd7, 0x01, 0x67
};
static const unsigned char aes_128_use_df_pr_additionalinput[] = {
0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
0x9a, 0x47, 0x08, 0x76
};
static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
0x09, 0xfb, 0xa3, 0xb6
};
static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
0x66, 0x1c, 0xea, 0x5b
};
static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
0x3f, 0x5e, 0x31, 0x06
};
static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
0xa7, 0xe3, 0xa8, 0x67
};
static const unsigned char aes_128_use_df_pr_returnedbits[] = {
0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
0x0f, 0x38, 0x43, 0xc6
};
/*
* AES-128 use df no PR
*/
static const unsigned char aes_128_use_df_entropyinput[] = {
0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
0x9d, 0x7d, 0x1c, 0x9b
};
static const unsigned char aes_128_use_df_nonce[] = {
0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96,
};
static const unsigned char aes_128_use_df_personalizationstring[] = {
0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
0x38, 0x66, 0xba, 0x1b
};
static const unsigned char aes_128_use_df_additionalinput[] = {
0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
0xb5, 0xe2, 0xb2, 0x41
};
static const unsigned char aes_128_use_df_int_returnedbits[] = {
0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
0xe7, 0x57, 0x11, 0xb4
};
static const unsigned char aes_128_use_df_entropyinputreseed[] = {
0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
0xc7, 0xc4, 0x9e, 0x39
};
static const unsigned char aes_128_use_df_additionalinputreseed[] = {
0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
0xc8, 0x93, 0xfa, 0x84
};
static const unsigned char aes_128_use_df_additionalinput2[] = {
0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
0x06, 0x0c, 0x15, 0x2c
};
static const unsigned char aes_128_use_df_returnedbits[] = {
0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
0x46, 0x81, 0xc7, 0x19
};
/*
* AES-192 use df PR
*/
static const unsigned char aes_192_use_df_pr_entropyinput[] = {
0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
};
static const unsigned char aes_192_use_df_pr_nonce[] = {
0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
0xd1, 0x80, 0x78, 0xfa
};
static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
};
static const unsigned char aes_192_use_df_pr_additionalinput[] = {
0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
};
static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5,
};
static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
0x19, 0x30, 0x6b, 0x67
};
static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
};
static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e,
};
static const unsigned char aes_192_use_df_pr_returnedbits[] = {
0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
0x7e, 0x1a, 0x2b, 0x83
};
/*
* AES-192 use df no PR
*/
static const unsigned char aes_192_use_df_entropyinput[] = {
0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b,
};
static const unsigned char aes_192_use_df_nonce[] = {
0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
0x77, 0xd7, 0x41, 0x0e
};
static const unsigned char aes_192_use_df_personalizationstring[] = {
0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
};
static const unsigned char aes_192_use_df_additionalinput[] = {
0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
};
static const unsigned char aes_192_use_df_int_returnedbits[] = {
0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
0xb7, 0xed, 0xe9, 0xea
};
static const unsigned char aes_192_use_df_entropyinputreseed[] = {
0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01,
};
static const unsigned char aes_192_use_df_additionalinputreseed[] = {
0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
};
static const unsigned char aes_192_use_df_additionalinput2[] = {
0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
};
static const unsigned char aes_192_use_df_returnedbits[] = {
0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
0x1a, 0xf9, 0x13, 0x28
};
/*
* AES-256 use df PR
*/
static const unsigned char aes_256_use_df_pr_entropyinput[] = {
0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
};
static const unsigned char aes_256_use_df_pr_nonce[] = {
0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
0x2b, 0x36, 0xff, 0xa4
};
static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
};
static const unsigned char aes_256_use_df_pr_additionalinput[] = {
0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
};
static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
};
static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
0x17, 0xab, 0x3c, 0x7a
};
static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
};
static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
};
static const unsigned char aes_256_use_df_pr_returnedbits[] = {
0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
0xd9, 0xe2, 0x97, 0x00
};
/*
* AES-256 use df no PR
*/
static const unsigned char aes_256_use_df_entropyinput[] = {
0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
};
static const unsigned char aes_256_use_df_nonce[] = {
0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
0x4c, 0x44, 0x84, 0x40
};
static const unsigned char aes_256_use_df_personalizationstring[] = {
0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
};
static const unsigned char aes_256_use_df_additionalinput[] = {
0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
};
static const unsigned char aes_256_use_df_int_returnedbits[] = {
0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
0x28, 0x0c, 0x3b, 0xc1
};
static const unsigned char aes_256_use_df_entropyinputreseed[] = {
0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
};
static const unsigned char aes_256_use_df_additionalinputreseed[] = {
0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
};
static const unsigned char aes_256_use_df_additionalinput2[] = {
0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
};
static const unsigned char aes_256_use_df_returnedbits[] = {
0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
0xfa, 0xfd, 0x35, 0x5e
};
/*
* AES-128 no df PR
*/
static const unsigned char aes_128_no_df_pr_entropyinput[] = {
0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
};
static const unsigned char aes_128_no_df_pr_nonce[] = {
0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1,
};
static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
};
static const unsigned char aes_128_no_df_pr_additionalinput[] = {
0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
};
static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
};
static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
0xaf, 0x19, 0x32, 0x16
};
static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
};
static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
};
static const unsigned char aes_128_no_df_pr_returnedbits[] = {
0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
0x57, 0x82, 0x33, 0xaf
};
/*
* AES-128 no df no PR
*/
static const unsigned char aes_128_no_df_entropyinput[] = {
0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
};
static const unsigned char aes_128_no_df_nonce[] = {
0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13,
};
static const unsigned char aes_128_no_df_personalizationstring[] = {
0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
};
static const unsigned char aes_128_no_df_additionalinput[] = {
0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
};
static const unsigned char aes_128_no_df_int_returnedbits[] = {
0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
0xed, 0x3e, 0x65, 0xc2
};
static const unsigned char aes_128_no_df_entropyinputreseed[] = {
0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
};
static const unsigned char aes_128_no_df_additionalinputreseed[] = {
0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
};
static const unsigned char aes_128_no_df_additionalinput2[] = {
0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
};
static const unsigned char aes_128_no_df_returnedbits[] = {
0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
0x81, 0x37, 0x19, 0xd4
};
/*
* AES-192 no df PR
*/
static const unsigned char aes_192_no_df_pr_entropyinput[] = {
0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
0x17, 0x1f, 0x8d, 0x9a
};
static const unsigned char aes_192_no_df_pr_nonce[] = {
0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
0x61, 0x5c, 0xee, 0x0f
};
static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
0x57, 0x2e, 0xe7, 0x55
};
static const unsigned char aes_192_no_df_pr_additionalinput[] = {
0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
0xe2, 0xd0, 0x0c, 0x2f
};
static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
0x1d, 0x30, 0xb3, 0x78
};
static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
0x7e, 0x3e, 0x0c, 0x26
};
static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
0x0c, 0x4b, 0xee, 0x6e
};
static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
0x8e, 0x0a, 0x83, 0xdf
};
static const unsigned char aes_192_no_df_pr_returnedbits[] = {
0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
0xb9, 0xa1, 0x21, 0x68
};
/*
* AES-192 no df no PR
*/
static const unsigned char aes_192_no_df_entropyinput[] = {
0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
0x94, 0xc3, 0x59, 0x63
};
static const unsigned char aes_192_no_df_nonce[] = {
0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
0x29, 0xfd, 0x45, 0x71
};
static const unsigned char aes_192_no_df_personalizationstring[] = {
0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
0x3b, 0x88, 0xce, 0x35
};
static const unsigned char aes_192_no_df_additionalinput[] = {
0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
0x3e, 0xbe, 0xd4, 0x8e
};
static const unsigned char aes_192_no_df_int_returnedbits[] = {
0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
0x45, 0xe7, 0x4a, 0xc5
};
static const unsigned char aes_192_no_df_entropyinputreseed[] = {
0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
0x9b, 0xcb, 0x7e, 0x75
};
static const unsigned char aes_192_no_df_additionalinputreseed[] = {
0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
0x5d, 0x7a, 0x25, 0x79
};
static const unsigned char aes_192_no_df_additionalinput2[] = {
0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
0x91, 0x6a, 0xe3, 0x5f
};
static const unsigned char aes_192_no_df_returnedbits[] = {
0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
0x66, 0x67, 0x2c, 0x92
};
/*
* AES-256 no df PR
*/
static const unsigned char aes_256_no_df_pr_entropyinput[] = {
0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c,
};
static const unsigned char aes_256_no_df_pr_nonce[] = {
0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
0xcc, 0x4b, 0xee, 0x2e
};
static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06,
};
static const unsigned char aes_256_no_df_pr_additionalinput[] = {
0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e,
};
static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f,
};
static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
0x79, 0x60, 0x93, 0xcf
};
static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb,
};
static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f,
};
static const unsigned char aes_256_no_df_pr_returnedbits[] = {
0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
0x2d, 0x5f, 0x4a, 0x46
};
/*
* AES-256 no df no PR
*/
static const unsigned char aes_256_no_df_entropyinput[] = {
0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3,
};
static const unsigned char aes_256_no_df_nonce[] = {
0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
0x43, 0x96, 0xb9, 0xf0
};
static const unsigned char aes_256_no_df_personalizationstring[] = {
0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d,
};
static const unsigned char aes_256_no_df_additionalinput[] = {
0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17,
};
static const unsigned char aes_256_no_df_int_returnedbits[] = {
0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
0xd2, 0x25, 0x75, 0x0e
};
static const unsigned char aes_256_no_df_entropyinputreseed[] = {
0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb,
};
static const unsigned char aes_256_no_df_additionalinputreseed[] = {
0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29,
};
static const unsigned char aes_256_no_df_additionalinput2[] = {
0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6,
};
static const unsigned char aes_256_no_df_returnedbits[] = {
0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
0xf6, 0x02, 0x32, 0xe2
};

9
test/recipes/05-test_rand.t
View File

@ -6,7 +6,12 @@
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test;
use OpenSSL::Test::Simple;
plan tests => 2;
setup("test_rand");
simple_test("test_rand", "randtest", "rand");
ok(run(test(["randtest"])));
ok(run(test(["drbgtest"])));

13
util/libcrypto.num
View File

@ -4345,3 +4345,16 @@ OSSL_STORE_LOADER_get0_engine 4287 1_1_1 EXIST::FUNCTION:
OPENSSL_fork_prepare 4288 1_1_1 EXIST:UNIX:FUNCTION:
OPENSSL_fork_parent 4289 1_1_1 EXIST:UNIX:FUNCTION:
OPENSSL_fork_child 4290 1_1_1 EXIST:UNIX:FUNCTION:
RAND_drbg 4291 1_1_1 EXIST::FUNCTION:
RAND_DRBG_instantiate 4292 1_1_1 EXIST::FUNCTION:
RAND_DRBG_uninstantiate 4293 1_1_1 EXIST::FUNCTION:
RAND_DRBG_get_default 4294 1_1_1 EXIST::FUNCTION:
RAND_DRBG_set 4295 1_1_1 EXIST::FUNCTION:
RAND_DRBG_set_callbacks 4296 1_1_1 EXIST::FUNCTION:
RAND_DRBG_new 4297 1_1_1 EXIST::FUNCTION:
RAND_DRBG_set_reseed_interval 4298 1_1_1 EXIST::FUNCTION:
RAND_DRBG_free 4299 1_1_1 EXIST::FUNCTION:
RAND_DRBG_generate 4300 1_1_1 EXIST::FUNCTION:
RAND_DRBG_reseed 4301 1_1_1 EXIST::FUNCTION:
RAND_DRBG_set_ex_data 4302 1_1_1 EXIST::FUNCTION:
RAND_DRBG_get_ex_data 4303 1_1_1 EXIST::FUNCTION:

1
util/mkdef.pl
View File

@ -246,6 +246,7 @@ my $crypto ="include/internal/dso.h";
$crypto.=" include/internal/o_dir.h";
$crypto.=" include/internal/o_str.h";
$crypto.=" include/internal/err.h";
$crypto.=" include/internal/rand.h";
foreach my $f ( glob(catfile($config{sourcedir},'include/openssl/*.h')) ) {
my $fn = "include/openssl/" . lc(basename($f));
$crypto .= " $fn" if !defined $skipthese{$fn} && $f !~ m@/[a-z]+err\.h$@;