1267843Sdelphij/* $NetBSD: nist_hash_drbg.c,v 1.3 2019/09/19 18:29:55 riastradh Exp $ */ 2267843Sdelphij 3267843Sdelphij/*- 4267843Sdelphij * Copyright (c) 2019 The NetBSD Foundation, Inc. 5267843Sdelphij * All rights reserved. 6267843Sdelphij * 7267843Sdelphij * This code is derived from software contributed to The NetBSD Foundation 8267843Sdelphij * by Taylor R. Campbell. 9267843Sdelphij * 10267843Sdelphij * Redistribution and use in source and binary forms, with or without 11267843Sdelphij * modification, are permitted provided that the following conditions 12267843Sdelphij * are met: 13267843Sdelphij * 1. Redistributions of source code must retain the above copyright 14267843Sdelphij * notice, this list of conditions and the following disclaimer. 15267843Sdelphij * 2. Redistributions in binary form must reproduce the above copyright 16267843Sdelphij * notice, this list of conditions and the following disclaimer in the 17267843Sdelphij * documentation and/or other materials provided with the distribution. 18267843Sdelphij * 19267843Sdelphij * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20267843Sdelphij * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21267843Sdelphij * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22267843Sdelphij * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23267843Sdelphij * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24267843Sdelphij * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25267843Sdelphij * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26267843Sdelphij * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27267843Sdelphij * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28267843Sdelphij * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29267843Sdelphij * POSSIBILITY OF SUCH DAMAGE. 30267843Sdelphij */ 31267843Sdelphij 32267843Sdelphij/* 33267843Sdelphij * This file implements Hash_DRBG, a `deterministic random bit 34267843Sdelphij * generator' (more commonly known in lay terms and in the cryptography 35267843Sdelphij * literature as a pseudorandom bit generator or pseudorandom number 36267843Sdelphij * generator), described in 37267843Sdelphij * 38267843Sdelphij * Elaine Barker and John Kelsey, `Recommendation for Random 39267843Sdelphij * Number Generation Using Deterministic Random Bit Generators', 40267843Sdelphij * NIST SP800-90A, June 2015. 41267843Sdelphij * 42267843Sdelphij * This code is meant to work in userland or in kernel. For a test 43267843Sdelphij * program, compile with -DNIST_HASH_DRBG_MAIN to define a `main' 44267843Sdelphij * function; for verbose debugging output, compile with 45267843Sdelphij * -DNIST_HASH_DRBG_DEBUG, mainly useful if you need to change 46267843Sdelphij * something and have to diagnose what's wrong with the known-answer 47267843Sdelphij * tests. 48267843Sdelphij */ 49267843Sdelphij 50267843Sdelphij#ifdef _KERNEL 51267843Sdelphij#include <sys/cdefs.h> 52267843Sdelphij__KERNEL_RCSID(0, "$NetBSD: nist_hash_drbg.c,v 1.3 2019/09/19 18:29:55 riastradh Exp $"); 53267843Sdelphij#endif 54267843Sdelphij 55267843Sdelphij#include <sys/param.h> 56267843Sdelphij#include <sys/types.h> 57267843Sdelphij#include <sys/sha2.h> 58267843Sdelphij 59267843Sdelphij#ifdef _KERNEL 60267843Sdelphij#include <sys/systm.h> /* memcpy */ 61267843Sdelphij#include <lib/libkern/libkern.h> /* KASSERT */ 62267843Sdelphij#define ASSERT KASSERT 63267843Sdelphij#else 64267843Sdelphij#include <assert.h> 65267843Sdelphij#include <stdbool.h> 66267843Sdelphij#include <stdio.h> 67267843Sdelphij#include <string.h> 68267843Sdelphij#define ASSERT assert 69267843Sdelphij#define CTASSERT __CTASSERT 70267843Sdelphij#endif 71267843Sdelphij 72267843Sdelphij#include "nist_hash_drbg.h" 73267843Sdelphij 74267843Sdelphij#define secret /* must not use in variable-time operations; should zero */ 75267843Sdelphij#define arraycount(A) (sizeof(A)/sizeof(A[0])) 76267843Sdelphij 77267843SdelphijCTASSERT(0 < NIST_HASH_DRBG_RESEED_INTERVAL); 78267843SdelphijCTASSERT(NIST_HASH_DRBG_RESEED_INTERVAL <= INT_MAX); 79267843SdelphijCTASSERT(NIST_HASH_DRBG_RESEED_INTERVAL <= ~(~0ull << 48)); 80267843Sdelphij 81267843Sdelphij/* Instantiation: SHA-256 */ 82267843Sdelphij#define HASH_LENGTH SHA256_DIGEST_LENGTH 83267843Sdelphij#define HASH_CTX SHA256_CTX 84267843Sdelphij#define hash_init SHA256_Init 85267843Sdelphij#define hash_update SHA256_Update 86267843Sdelphij#define hash_final SHA256_Final 87267843Sdelphij 88267843Sdelphij#define SEEDLEN_BYTES NIST_HASH_DRBG_SEEDLEN_BYTES 89267843Sdelphij 90267843Sdelphijstruct hvec { 91267843Sdelphij const void *hv_base; 92267843Sdelphij size_t hv_len; 93267843Sdelphij}; 94267843Sdelphij 95267843Sdelphijstatic void hashgen(secret uint8_t *, size_t, 96267843Sdelphij const secret uint8_t[SEEDLEN_BYTES]); 97267843Sdelphijstatic void add8(secret uint8_t *, size_t, const secret uint8_t *, size_t); 98267843Sdelphijstatic void hash_df(secret void *, size_t, const struct hvec *, size_t); 99static void hash_df_block(secret void *, uint8_t, uint8_t[4], 100 const struct hvec *, size_t); 101 102/* 10.1.1 Hash_DRBG */ 103 104int 105nist_hash_drbg_destroy(struct nist_hash_drbg *D) 106{ 107 108 explicit_memset(D, 0, sizeof(*D)); 109 D->reseed_counter = UINT_MAX; /* paranoia: make generate fail */ 110 111 /* Always return zero for hysterical raisins. (XXX) */ 112 return 0; 113} 114 115/* 10.1.1.2 Instantiation of Hash_DRBG */ 116 117int 118nist_hash_drbg_instantiate(secret struct nist_hash_drbg *D, 119 const secret void *entropy, size_t entropylen, 120 const void *nonce, size_t noncelen, 121 const void *personalization, size_t personalizationlen) 122{ 123 /* 124 * 1. seed_material = entropy_input || nonce || personalization_string 125 */ 126 const struct hvec seed_material[] = { 127 { .hv_base = entropy, .hv_len = entropylen }, 128 { .hv_base = nonce, .hv_len = noncelen }, 129 { .hv_base = personalization, .hv_len = personalizationlen }, 130 }; 131 132 /* 133 * 2. seed = Hash_df(seed_material, seedlen) 134 * 3. V = seed 135 */ 136 CTASSERT(sizeof D->V == SEEDLEN_BYTES); 137 hash_df(D->V, sizeof D->V, seed_material, arraycount(seed_material)); 138 139 /* 4. C = Hash_df((0x00 || V), seedlen) */ 140 const struct hvec hv[] = { 141 { .hv_base = (const uint8_t[]) {0x00}, .hv_len = 1 }, 142 { .hv_base = D->V, .hv_len = sizeof D->V }, 143 }; 144 CTASSERT(sizeof D->C == SEEDLEN_BYTES); 145 hash_df(D->C, sizeof D->C, hv, arraycount(hv)); 146 147 /* 5. reseed_counter = 1 */ 148 D->reseed_counter = 1; 149 150 /* Always return zero for hysterical raisins. (XXX) */ 151 return 0; 152} 153 154/* 10.1.1.3 Reseeding a Hash_DRBG Instantiation */ 155 156int 157nist_hash_drbg_reseed(secret struct nist_hash_drbg *D, 158 const secret void *entropy, size_t entropylen, 159 const void *additional, size_t additionallen) 160{ 161 /* 1. seed_material = 0x01 || V || entropy_input || additional_input */ 162 const struct hvec seed_material[] = { 163 { .hv_base = (const uint8_t[]) {0x01}, .hv_len = 1 }, 164 { .hv_base = D->V, .hv_len = sizeof D->V }, 165 { .hv_base = entropy, .hv_len = entropylen }, 166 { .hv_base = additional, .hv_len = additionallen }, 167 }; 168 uint8_t seed[SEEDLEN_BYTES]; 169 170 /* 171 * 2. seed = Hash_df(seed_material, seedlen) 172 * 3. V = seed 173 */ 174 CTASSERT(sizeof D->V == SEEDLEN_BYTES); 175 hash_df(seed, sizeof seed, seed_material, arraycount(seed_material)); 176 memcpy(D->V, seed, sizeof D->V); 177 178 /* 3. C = Hash_df((0x00 || V), seedlen) */ 179 const struct hvec hv[] = { 180 { .hv_base = (const uint8_t[]) {0x00}, .hv_len = 1 }, 181 { .hv_base = D->V, .hv_len = sizeof D->V }, 182 }; 183 CTASSERT(sizeof D->C == SEEDLEN_BYTES); 184 hash_df(D->C, sizeof D->C, hv, arraycount(hv)); 185 186 /* 5. reseed_counter = 1 */ 187 D->reseed_counter = 1; 188 189 /* Always return zero for hysterical raisins. (XXX) */ 190 return 0; 191} 192 193/* 10.1.1.4 Generating Pseudorandom Bits Using Hash_DRBG */ 194 195int 196nist_hash_drbg_generate(secret struct nist_hash_drbg *D, 197 secret void *output, size_t outputlen, 198 const void *additional, size_t additionallen) 199{ 200 secret HASH_CTX ctx; 201 secret uint8_t H[HASH_LENGTH]; 202 uint8_t reseed_counter[4]; 203 204 ASSERT(outputlen <= NIST_HASH_DRBG_MAX_REQUEST_BYTES); 205 206 /* 207 * 1. If reseed_counter > reseed_interval, then return an 208 * indication that a reseed is required. 209 */ 210 if (D->reseed_counter > NIST_HASH_DRBG_RESEED_INTERVAL) 211 return 1; 212 213 /* 2. If (additional_input != Null), then do: */ 214 if (additionallen) { 215 /* 2.1 w = Hash(0x02 || V || additional_input) */ 216 secret uint8_t w[HASH_LENGTH]; 217 218 hash_init(&ctx); 219 hash_update(&ctx, (const uint8_t[]) {0x02}, 1); 220 hash_update(&ctx, D->V, sizeof D->V); 221 hash_update(&ctx, additional, additionallen); 222 hash_final(w, &ctx); 223 224 /* 2.2 V = (V + w) mod 2^seedlen */ 225 add8(D->V, sizeof D->V, w, sizeof w); 226 227 explicit_memset(w, 0, sizeof w); 228 } 229 230 /* 3. (returned_bits) = Hashgen(requested_number_of_bits, V) */ 231 hashgen(output, outputlen, D->V); 232 233 /* 4. H = Hash(0x03 || V) */ 234 hash_init(&ctx); 235 hash_update(&ctx, (const uint8_t[]) {0x03}, 1); 236 hash_update(&ctx, D->V, sizeof D->V); 237 hash_final(H, &ctx); 238 239 /* 5. V = (V + H + C + reseed_counter) mod 2^seedlen */ 240 be32enc(reseed_counter, D->reseed_counter); 241 add8(D->V, sizeof D->V, H, sizeof H); 242 add8(D->V, sizeof D->V, D->C, sizeof D->C); 243 add8(D->V, sizeof D->V, reseed_counter, sizeof reseed_counter); 244 245 /* 6. reseed_counter = reseed_counter + 1 */ 246 D->reseed_counter++; 247 248 explicit_memset(&ctx, 0, sizeof ctx); 249 explicit_memset(H, 0, sizeof H); 250 251 /* 7. Return SUCCESS, ... */ 252 return 0; 253} 254 255/* 256 * p := H(V) || H(V + 1) || H(V + 2) || ... 257 */ 258static void 259hashgen(secret uint8_t *p, size_t n, const secret uint8_t V[SEEDLEN_BYTES]) 260{ 261 secret uint8_t data[SEEDLEN_BYTES]; 262 secret HASH_CTX ctx; 263 264 /* Save a copy so that we can increment it. */ 265 memcpy(data, V, SEEDLEN_BYTES); 266 267 /* Generate block by block into p directly. */ 268 while (HASH_LENGTH <= n) { 269 hash_init(&ctx); 270 hash_update(&ctx, data, SEEDLEN_BYTES); 271 hash_final(p, &ctx); 272 273 p += HASH_LENGTH; 274 n -= HASH_LENGTH; 275 add8(data, sizeof data, (const uint8_t[]) {1}, 1); 276 } 277 278 /* 279 * If any partial block requested, generate a full block and 280 * copy the part we need. 281 */ 282 if (n) { 283 secret uint8_t t[HASH_LENGTH]; 284 285 hash_init(&ctx); 286 hash_update(&ctx, data, SEEDLEN_BYTES); 287 hash_final(t, &ctx); 288 289 memcpy(p, t, n); 290 explicit_memset(t, 0, sizeof t); 291 } 292 293 explicit_memset(data, 0, sizeof data); 294 explicit_memset(&ctx, 0, sizeof ctx); 295} 296 297/* 298 * s := s + a (big-endian, radix-2^8) 299 */ 300static void 301add8(secret uint8_t *s, size_t slen, const secret uint8_t *a, size_t alen) 302{ 303 const size_t smax = slen - 1, amax = alen - 1; 304 size_t i; 305 secret unsigned c = 0; 306 307 /* 2^8 c + s_i := s_i + a_i + c */ 308 for (i = 0; i < MIN(slen, alen); i++) { 309 c += s[smax - i] + a[amax - i]; 310 s[smax - i] = c & 0xff; 311 c >>= 8; 312 } 313 314 /* 2^8 c + s_i := s_i + c */ 315 for (; i < slen; i++) { 316 c += s[smax - i]; 317 s[smax - i] = c & 0xff; 318 c >>= 8; 319 } 320 321 explicit_memset(&c, 0, sizeof c); 322} 323 324/* 10.4.1 Derivation Function Using a Hash Function (Hash_df) */ 325 326static void 327hash_df(void *h, size_t hlen, const struct hvec *input, size_t inputlen) 328{ 329 uint8_t *p = h; 330 size_t n = hlen; 331 uint8_t counter = 1; 332 uint8_t hbits[4]; 333 334 ASSERT(hlen <= 255*HASH_LENGTH); 335 ASSERT(hlen <= UINT32_MAX/8); 336 be32enc(hbits, 8*hlen); 337 338 while (HASH_LENGTH <= n) { 339 hash_df_block(p, counter++, hbits, input, inputlen); 340 p += HASH_LENGTH; 341 n -= HASH_LENGTH; 342 } 343 344 if (n) { 345 secret uint8_t t[HASH_LENGTH]; 346 347 hash_df_block(t, counter, hbits, input, inputlen); 348 memcpy(p, t, n); 349 350 explicit_memset(t, 0, sizeof t); 351 } 352} 353 354static void 355hash_df_block(secret void *h, uint8_t counter, uint8_t hbits[4], 356 const struct hvec *input, size_t inputlen) 357{ 358 secret HASH_CTX ctx; 359 size_t i; 360 361 /* 362 * Hash_df Process, step 4.1: 363 * Hash(counter || no_of_bits_to_return || input_string) 364 */ 365 hash_init(&ctx); 366 hash_update(&ctx, &counter, 1); 367 hash_update(&ctx, hbits, 4); 368 for (i = 0; i < inputlen; i++) { 369 if (input[i].hv_len) 370 hash_update(&ctx, input[i].hv_base, input[i].hv_len); 371 } 372 hash_final(h, &ctx); 373 374 explicit_memset(&ctx, 0, sizeof ctx); 375} 376 377/* 378 * Known-answer test vectors for Hash_DRBG with SHA-256 379 */ 380 381/* Hash_DRBG.PDF, p. 190 */ 382static const uint8_t kat_entropy[3][SEEDLEN_BYTES] = { 383 [0] = { 384 0x00,0x01,0x02,0x03, 0x04,0x05,0x06,0x07, 385 0x08,0x09,0x0a,0x0b, 0x0c,0x0d,0x0e,0x0f, 386 0x10,0x11,0x12,0x13, 0x14,0x15,0x16,0x17, 387 0x18,0x19,0x1a,0x1b, 0x1c,0x1d,0x1e,0x1f, 388 0x20,0x21,0x22,0x23, 0x24,0x25,0x26,0x27, 389 0x28,0x29,0x2a,0x2b, 0x2c,0x2d,0x2e,0x2f, 390 0x30,0x31,0x32,0x33, 0x34,0x35,0x36, 391 }, 392 [1] = { /* for reseed1 */ 393 0x80,0x81,0x82,0x83, 0x84,0x85,0x86,0x87, 394 0x88,0x89,0x8a,0x8b, 0x8c,0x8d,0x8e,0x8f, 395 0x90,0x91,0x92,0x93, 0x94,0x95,0x96,0x97, 396 0x98,0x99,0x9a,0x9b, 0x9c,0x9d,0x9e,0x9f, 397 0xa0,0xa1,0xa2,0xa3, 0xa4,0xa5,0xa6,0xa7, 398 0xa8,0xa9,0xaa,0xab, 0xac,0xad,0xae,0xaf, 399 0xb0,0xb1,0xb2,0xb3, 0xb4,0xb5,0xb6, 400 }, 401 [2] = { /* for reseed2 */ 402 0xc0,0xc1,0xc2,0xc3, 0xc4,0xc5,0xc6,0xc7, 403 0xc8,0xc9,0xca,0xcb, 0xcc,0xcd,0xce,0xcf, 404 0xd0,0xd1,0xd2,0xd3, 0xd4,0xd5,0xd6,0xd7, 405 0xd8,0xd9,0xda,0xdb, 0xdc,0xdd,0xde,0xdf, 406 0xe0,0xe1,0xe2,0xe3, 0xe4,0xe5,0xe6,0xe7, 407 0xe8,0xe9,0xea,0xeb, 0xec,0xed,0xee,0xef, 408 0xf0,0xf1,0xf2,0xf3, 0xf4,0xf5,0xf6, 409 }, 410}; 411 412static const uint8_t kat_nonce[] = { 413 0x20,0x21,0x22,0x23, 0x24,0x25,0x26,0x27, 414}; 415 416static const struct hvec kat_zero = { .hv_base = 0, .hv_len = 0 }; 417 418static const struct hvec kat_personalization = { 419 .hv_len = 55, 420 .hv_base = (const void *)(const uint8_t[]) { /* p. 208 */ 421 0x40,0x41,0x42,0x43, 0x44,0x45,0x46,0x47, 422 0x48,0x49,0x4a,0x4b, 0x4c,0x4d,0x4e,0x4f, 423 0x50,0x51,0x52,0x53, 0x54,0x55,0x56,0x57, 424 0x58,0x59,0x5a,0x5b, 0x5c,0x5d,0x5e,0x5f, 425 0x60,0x61,0x62,0x63, 0x64,0x65,0x66,0x67, 426 0x68,0x69,0x6a,0x6b, 0x6c,0x6d,0x6e,0x6f, 427 0x70,0x71,0x72,0x73, 0x74,0x75,0x76, 428 }, 429}; 430 431static const struct hvec *const kat_no_additional[] = { 432 [0] = &kat_zero, 433 [1] = &kat_zero, 434}; 435 436static const struct hvec *const kat_additional[] = { 437 [0] = &(const struct hvec) { 438 .hv_len = 55, 439 .hv_base = (const void *)(const uint8_t[]) { 440 0x60,0x61,0x62,0x63, 0x64,0x65,0x66,0x67, 441 0x68,0x69,0x6a,0x6b, 0x6c,0x6d,0x6e,0x6f, 442 0x70,0x71,0x72,0x73, 0x74,0x75,0x76,0x77, 443 0x78,0x79,0x7a,0x7b, 0x7c,0x7d,0x7e,0x7f, 444 0x80,0x81,0x82,0x83, 0x84,0x85,0x86,0x87, 445 0x88,0x89,0x8a,0x8b, 0x8c,0x8d,0x8e,0x8f, 446 0x90,0x91,0x92,0x93, 0x94,0x95,0x96, 447 }, 448 }, 449 [1] = &(const struct hvec) { 450 .hv_len = 55, 451 .hv_base = (const void *)(const uint8_t[]) { 452 0xa0,0xa1,0xa2,0xa3, 0xa4,0xa5,0xa6,0xa7, 453 0xa8,0xa9,0xaa,0xab, 0xac,0xad,0xae,0xaf, 454 0xb0,0xb1,0xb2,0xb3, 0xb4,0xb5,0xb6,0xb7, 455 0xb8,0xb9,0xba,0xbb, 0xbc,0xbd,0xbe,0xbf, 456 0xc0,0xc1,0xc2,0xc3, 0xc4,0xc5,0xc6,0xc7, 457 0xc8,0xc9,0xca,0xcb, 0xcc,0xcd,0xce,0xcf, 458 0xd0,0xd1,0xd2,0xd3, 0xd4,0xd5,0xd6, 459 }, 460 }, 461}; 462 463static const struct { 464 const struct hvec *personalization; 465 const struct hvec *const *additional; 466 bool reseed; 467 uint8_t C[SEEDLEN_BYTES]; 468 uint8_t V[3][SEEDLEN_BYTES]; 469 uint8_t rnd_val[2][64]; 470} kat[] = { 471 [0] = { /* Hash_DRBG.pdf, p. 190 */ 472 .personalization = &kat_zero, 473 .additional = kat_no_additional, 474 .reseed = false, 475 .C = { /* p. 193 */ 476 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b, 477 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee, 478 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a, 479 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0, 480 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02, 481 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea, 482 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1, 483 }, 484 .V = { 485 [0] = { /* p. 192 */ 486 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09, 487 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11, 488 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd, 489 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95, 490 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d, 491 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe, 492 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1, 493 }, 494 [1] = { /* p. 195 */ 495 0x8c,0x9f,0xb2,0x8d, 0x1b,0x5c,0xcc,0xa4, 496 0x7e,0x7c,0xfa,0x66, 0xba,0xce,0x21,0xff, 497 0x26,0x0a,0x16,0xa5, 0xba,0xba,0x7f,0x14, 498 0x4e,0x75,0x79,0x36, 0x8e,0x99,0x55,0xbe, 499 0xfb,0xe7,0x00,0xee, 0xf8,0x72,0x77,0x6b, 500 0x17,0xae,0xff,0xd5, 0x3d,0x76,0xf4,0xe3, 501 0xbe,0x65,0xe8,0xc9, 0x4b,0x70,0x8f, 502 }, 503 [2] = { /* p. 197 */ 504 0x6d,0xfd,0x97,0x35, 0xff,0x0e,0x0e,0x3f, 505 0xe0,0x52,0x2f,0x58, 0x18,0x8b,0x53,0xed, 506 0x3f,0xf6,0x70,0x05, 0x46,0x52,0x90,0x44, 507 0xb6,0x2b,0xe1,0x7d, 0x1b,0x1c,0x21,0xd0, 508 0x91,0xb0,0x89,0xb1, 0x77,0x47,0x95,0xdb, 509 0x14,0x22,0xa8,0x6c, 0x95,0x46,0x34,0x80, 510 0x76,0xb4,0xb6,0x21, 0xc7,0x2f,0x91, 511 }, 512 }, 513 .rnd_val = { 514 [0] = { 515 0x77,0xe0,0x5a,0x0e, 0x7d,0xc7,0x8a,0xb5, 516 0xd8,0x93,0x4d,0x5e, 0x93,0xe8,0x2c,0x06, 517 0xa0,0x7c,0x04,0xce, 0xe6,0xc9,0xc5,0x30, 518 0x45,0xee,0xb4,0x85, 0x87,0x27,0x77,0xcf, 519 0x3b,0x3e,0x35,0xc4, 0x74,0xf9,0x76,0xb8, 520 0x94,0xbf,0x30,0x1a, 0x86,0xfa,0x65,0x1f, 521 0x46,0x39,0x70,0xe8, 0x9d,0x4a,0x05,0x34, 522 0xb2,0xec,0xad,0x29, 0xec,0x04,0x4e,0x7e, 523 }, 524 { 525 0x5f,0xf4,0xba,0x49, 0x3c,0x40,0xcf,0xff, 526 0x3b,0x01,0xe4,0x72, 0xc5,0x75,0x66,0x8c, 527 0xce,0x38,0x80,0xb9, 0x29,0x0b,0x05,0xbf, 528 0xed,0xe5,0xec,0x96, 0xed,0x5e,0x9b,0x28, 529 0x98,0x50,0x8b,0x09, 0xbc,0x80,0x0e,0xee, 530 0x09,0x9a,0x3c,0x90, 0x60,0x2a,0xbd,0x4b, 531 0x1d,0x4f,0x34,0x3d, 0x49,0x7c,0x60,0x55, 532 0xc8,0x7b,0xb9,0x56, 0xd5,0x3b,0xf3,0x51, 533 }, 534 }, 535 }, 536 537 [1] = { /* Hash_DRBG.pdf, p. 198 */ 538 .personalization = &kat_zero, 539 .additional = kat_additional, 540 .reseed = false, 541 .C = { /* p. 201 */ 542 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b, 543 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee, 544 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a, 545 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0, 546 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02, 547 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea, 548 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1, 549 }, 550 .V = { 551 [0] = { /* p. 200 */ 552 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09, 553 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11, 554 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd, 555 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95, 556 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d, 557 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe, 558 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1, 559 }, 560 [1] = { /* p. 204 */ 561 0x8c,0x9f,0xb2,0x8d, 0x1b,0x5c,0xcc,0xa4, 562 0x7e,0x7c,0xfa,0x66, 0xba,0xce,0x21,0xff, 563 0x26,0x0a,0x16,0xa5, 0xba,0xba,0x7f,0x1f, 564 0xd3,0x3b,0x30,0x79, 0x8f,0xb2,0x9a,0x0f, 565 0xba,0x66,0x65,0x02, 0x7d,0x7f,0x10,0x58, 566 0x71,0xbf,0xb4,0x40, 0xdf,0xbe,0xde,0x81, 567 0xd0,0x4d,0x22,0xdf, 0xf7,0x89,0xe1, 568 }, 569 [2] = { /* p. 207 */ 570 0x6d,0xfd,0x97,0x35, 0xff,0x0e,0x0e,0x3f, 571 0xe0,0x52,0x2f,0x58, 0x18,0x8b,0x53,0xed, 572 0x3f,0xf6,0x70,0x05, 0x46,0x52,0x90,0xe1, 573 0x7c,0x5a,0xd8,0x2d, 0xa9,0x2a,0x05,0x01, 574 0xaa,0x66,0x3a,0xa6, 0x9f,0xa5,0xa0,0xb0, 575 0x81,0x2b,0x4b,0x4f, 0xaf,0xf3,0xfe,0xce, 576 0x79,0xcc,0xf6,0xaa, 0xde,0xc1,0xd0, 577 }, 578 }, 579 .rnd_val = { 580 [0] = { /* p. 203 */ 581 0x51,0x07,0x24,0xb9, 0x3a,0xe9,0xa1,0x82, 582 0x70,0xe4,0x84,0x73, 0x71,0x1d,0x88,0x24, 583 0x63,0x1b,0xaa,0x7f, 0x1d,0x9a,0xc9,0x28, 584 0x4e,0x7e,0xc8,0xf3, 0x63,0x7f,0x7a,0x74, 585 0x3b,0x36,0x44,0xeb, 0x96,0xc9,0x86,0x27, 586 0xc8,0xfd,0x40,0x5a, 0x7a,0x46,0x03,0xf3, 587 0x8c,0xff,0x7c,0x89, 0xe9,0xc1,0x33,0xf5, 588 0x85,0x1f,0x40,0xe9, 0x20,0x30,0xfe,0xa2, 589 }, 590 [1] = { /* p. 206 */ 591 0x62,0x53,0xda,0x3a, 0xae,0x8b,0x88,0xa3, 592 0xb7,0x46,0xe4,0xc8, 0xb2,0x63,0x5c,0x54, 593 0x0f,0x6e,0x9e,0xa7, 0x15,0x7e,0xe6,0x9d, 594 0xd7,0x1e,0xfb,0x2e, 0x8f,0xf7,0xbb,0xe1, 595 0xe3,0x33,0x68,0x88, 0x38,0xdd,0x7d,0xe4, 596 0x9c,0xc8,0x89,0x90, 0x30,0x9c,0x96,0xcd, 597 0xb2,0xab,0x92,0x95, 0x74,0x36,0xbf,0x83, 598 0xd1,0xbd,0x83,0x08, 0x19,0xc7,0x48,0xca, 599 }, 600 }, 601 }, 602 603 [2] = { /* Hash_DRBG.pdf, p. 208 */ 604 .personalization = &kat_personalization, 605 .additional = kat_no_additional, 606 .reseed = false, 607 .C = { /* p. 211 */ 608 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55, 609 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c, 610 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69, 611 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87, 612 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c, 613 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03, 614 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0, 615 }, 616 .V = { 617 [0] = { /* p. 210 */ 618 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69, 619 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0, 620 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63, 621 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4, 622 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8, 623 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35, 624 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca, 625 }, 626 [1] = { /* p. 213 */ 627 0xe8,0x5d,0xd8,0xb1, 0xd8,0x6c,0x16,0xbf, 628 0x62,0x8b,0xf3,0xb5, 0xf9,0x97,0x04,0x4d, 629 0x2a,0x69,0x13,0x8c, 0xd6,0xa6,0x6e,0xe7, 630 0x36,0xdb,0xaa,0x3b, 0xf1,0xd0,0x28,0x3b, 631 0x71,0x7b,0x33,0x6e, 0xb3,0xae,0x5b,0xdd, 632 0x04,0x17,0x2e,0xa2, 0x6e,0x5a,0x48,0xf3, 633 0xb3,0xfb,0xab,0xf8, 0x2f,0x76,0x79, 634 }, 635 [2] = { /* p. 215 */ 636 0x2c,0xd2,0x63,0x2a, 0x89,0xda,0x8c,0x15, 637 0x02,0x14,0x11,0x07, 0xba,0xf5,0x02,0xb9, 638 0x7d,0x38,0xc4,0x48, 0x48,0x08,0x71,0x0a, 639 0x66,0xf8,0x40,0x11, 0xd7,0x02,0x8d,0x14, 640 0xd3,0x15,0x5a,0x73, 0x79,0xad,0xd5,0x3c, 641 0xc8,0xea,0x84,0xd0, 0xfc,0x64,0x1d,0xfc, 642 0x62,0x9e,0x06,0x19, 0x1f,0x5f,0x6d, 643 }, 644 }, 645 .rnd_val = { 646 [0] = { /* p. 213 */ 647 0x4a,0x62,0x66,0x4f, 0x26,0x6e,0xe5,0x37, 648 0xb9,0x0d,0x64,0xb0, 0x5e,0x1d,0x81,0x3d, 649 0x28,0xb1,0x59,0xa9, 0x79,0xf1,0x50,0x9d, 650 0xde,0x31,0xb7,0x1d, 0xa4,0x3d,0x54,0x6e, 651 0xe8,0xe7,0x86,0x78, 0x20,0x2d,0xc2,0x37, 652 0xad,0x4a,0xfe,0x7d, 0xf3,0x10,0xc9,0xa4, 653 0x13,0xe3,0x8a,0xaf, 0x41,0x7d,0x2d,0x22, 654 0x5a,0xa3,0x65,0xec, 0x4a,0x7d,0x29,0x96, 655 }, 656 [1] = { /* p. 215 */ 657 0x59,0x58,0x3d,0x3c, 0x0a,0xc3,0x71,0x30, 658 0xc4,0x78,0x9a,0x83, 0x11,0xb8,0xca,0x8f, 659 0x98,0x5e,0xf1,0xe8, 0xf9,0x4d,0x95,0x4e, 660 0x32,0xe3,0x44,0xa6, 0x21,0xc2,0x4b,0x2f, 661 0x37,0x1d,0xa9,0xba, 0x3c,0x33,0x15,0x3f, 662 0x09,0xe5,0x51,0x45, 0xe7,0x62,0x92,0x6b, 663 0x73,0xac,0x14,0x7a, 0x1e,0x86,0x31,0xd1, 664 0xcc,0xd0,0x85,0x67, 0xcf,0x67,0x7c,0x72, 665 }, 666 }, 667 }, 668 669 [3] = { /* Hash_DRBG.pdf, p. 215 */ 670 .personalization = &kat_personalization, 671 .additional = kat_additional, 672 .reseed = false, 673 .C = { /* p. 220 */ 674 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55, 675 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c, 676 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69, 677 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87, 678 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c, 679 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03, 680 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0, 681 }, 682 .V = { 683 [0] = { /* p. 218 */ 684 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69, 685 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0, 686 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63, 687 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4, 688 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8, 689 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35, 690 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca, 691 }, 692 [1] = { /* p. 222 */ 693 0xe8,0x5d,0xd8,0xb1, 0xd8,0x6c,0x16,0xbf, 694 0x62,0x8b,0xf3,0xb5, 0xf9,0x97,0x04,0x4d, 695 0x2a,0x69,0x13,0x8c, 0xd6,0xa6,0x6f,0x8c, 696 0xa8,0x7b,0x87,0x43, 0x50,0x20,0x2e,0x1d, 697 0x8a,0xb0,0xb5,0xad, 0x47,0xac,0xc2,0x75, 698 0x40,0x28,0x9f,0xe3, 0xa8,0xe3,0x1f,0x7b, 699 0x56,0x58,0xdd,0xd1, 0x96,0x94,0x89, 700 }, 701 [2] = { /* p. 225 */ 702 0x2c,0xd2,0x63,0x2a, 0x89,0xda,0x8c,0x15, 703 0x02,0x14,0x11,0x07, 0xba,0xf5,0x02,0xb9, 704 0x7d,0x38,0xc4,0x48, 0x48,0x08,0x71,0xb2, 705 0x77,0xae,0xc7,0xff, 0x8d,0xa2,0x3c,0x71, 706 0xef,0xf5,0x9d,0xc2, 0x4e,0x5e,0x4c,0x7f, 707 0x58,0x47,0xb0,0xc1, 0x2f,0x6a,0x59,0x9e, 708 0x6b,0x2e,0xda,0xc0, 0x30,0x6b,0xcd, 709 }, 710 }, 711 .rnd_val = { /* p. 222 */ 712 [0] = { 713 0xe0,0xb9,0x7c,0x82, 0x12,0x68,0xfd,0x3b, 714 0xb2,0xca,0xbf,0xd1, 0xf9,0x54,0x84,0x78, 715 0xae,0x8a,0x60,0x41, 0x7f,0x7b,0x09,0x4a, 716 0x26,0x13,0x95,0x46, 0x06,0x2b,0x52,0x1c, 717 0xfd,0x33,0xe4,0xe3, 0x9b,0x9d,0xcd,0x0a, 718 0x3d,0xa1,0x52,0x09, 0xc7,0x2a,0xdb,0xe5, 719 0x8c,0x20,0xab,0x34, 0x07,0x02,0x69,0x51, 720 0x29,0x7a,0xd2,0x54, 0x30,0x75,0x53,0xa5, 721 }, 722 [1] = { /* p. 225 */ 723 0xc1,0xac,0xd3,0xad, 0xa4,0xc8,0xc4,0x95, 724 0xbf,0x17,0x9d,0xb5, 0x98,0x22,0xc3,0x51, 725 0xbc,0x47,0x9a,0xbe, 0x4e,0xb2,0x8f,0x84, 726 0x39,0x57,0xb1,0x1e, 0x3c,0x2b,0xc0,0x48, 727 0x83,0x96,0x42,0x97, 0x97,0x5b,0xd7,0x2d, 728 0x10,0x24,0xab,0xcf, 0x6f,0x66,0x15,0xd7, 729 0xf5,0xb4,0xfd,0x1e, 0x40,0xa6,0x4e,0xeb, 730 0x45,0xba,0x21,0x81, 0xb8,0x39,0x37,0xed, 731 }, 732 }, 733 }, 734 735 [4] = { /* Hash_DRBG.pdf, p. 225 */ 736 .personalization = &kat_zero, 737 .additional = kat_no_additional, 738 .reseed = true, 739 .C = { /* p. 229 */ 740 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b, 741 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee, 742 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a, 743 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0, 744 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02, 745 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea, 746 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1, 747 }, 748 .V = { 749 [0] = { /* p. 227 */ 750 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09, 751 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11, 752 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd, 753 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95, 754 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d, 755 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe, 756 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1, 757 }, 758 [1] = { /* p. 234 */ 759 0x23,0x97,0x6c,0x61, 0x63,0xd7,0xe2,0x4a, 760 0x1a,0x03,0x8f,0x2b, 0x2b,0x64,0x67,0x97, 761 0x50,0xca,0x9e,0xd8, 0xd1,0x40,0x69,0x8d, 762 0x64,0x22,0x39,0x7b, 0x02,0x96,0x9e,0x6e, 763 0xcd,0xd2,0x9d,0xac, 0xc5,0x76,0x7e,0x2c, 764 0xc2,0xd0,0xa1,0x56, 0xc8,0x7a,0xd0,0xb3, 765 0x57,0x89,0x05,0x07, 0xe0,0x37,0x77, 766 }, 767 [2] = { /* p. 239 */ 768 0x92,0xfb,0x0e,0x48, 0x0e,0x86,0x99,0x13, 769 0xc7,0xad,0x45,0xc7, 0xe3,0xfd,0x46,0x10, 770 0x17,0xe5,0xa6,0xb7, 0x70,0xf3,0x3b,0x31, 771 0x3c,0x38,0x83,0xf1, 0xcc,0x56,0x71,0x89, 772 0x45,0x21,0xf5,0xed, 0xe6,0x2e,0xaa,0xb0, 773 0x83,0xb1,0x41,0xa7, 0x5b,0x5c,0xc0,0x22, 774 0x60,0x5a,0x8a,0x3d, 0xc7,0x1b,0xa7, 775 }, 776 }, 777 .rnd_val = { 778 [0] = { /* p. 234 */ 779 0x92,0x27,0x55,0x23, 0xc7,0x0e,0x56,0x7b, 780 0xcf,0x9b,0x35,0xec, 0x50,0xb9,0x33,0xf8, 781 0x12,0x61,0x6d,0xf5, 0x86,0xb7,0xf7,0x2e, 782 0xe1,0xbc,0x77,0x35, 0xa5,0xc2,0x65,0x43, 783 0x73,0xcb,0xbc,0x72, 0x31,0x6d,0xff,0x84, 784 0x20,0xa3,0x3b,0xf0, 0x2b,0x97,0xac,0x8d, 785 0x19,0x52,0x58,0x3f, 0x27,0x0a,0xcd,0x70, 786 0x05,0xcc,0x02,0x7f, 0x4c,0xf1,0x18,0x7e, 787 }, 788 [1] = { /* p. 239 */ 789 0x68,0x1a,0x46,0xb2, 0xaa,0x86,0x94,0xa0, 790 0xfe,0x4d,0xee,0xa7, 0x20,0x92,0x7a,0x84, 791 0xea,0xaa,0x98,0x5e, 0x59,0xc1,0x9f,0x8b, 792 0xe0,0x98,0x4d,0x8c, 0xbe,0xf8,0xc6,0x9b, 793 0x75,0x41,0x67,0x64, 0x19,0x46,0xe0,0x40, 794 0xee,0x20,0x43,0xe1, 0xcc,0xb2,0x9d,0xcf, 795 0x06,0x3c,0x0a,0x50, 0x83,0x0e,0x42,0x8e, 796 0x6d,0xca,0x26,0x2e, 0xcd,0x77,0xc5,0x42, 797 }, 798 }, 799 }, 800 801 [5] = { /* Hash_DRBG.pdf, p. 239 */ 802 .personalization = &kat_zero, 803 .additional = kat_additional, 804 .reseed = true, 805 .C = { /* p. 243 */ 806 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b, 807 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee, 808 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a, 809 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0, 810 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02, 811 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea, 812 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1, 813 }, 814 .V = { 815 [0] = { /* p. 242 */ 816 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09, 817 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11, 818 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd, 819 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95, 820 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d, 821 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe, 822 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1, 823 }, 824 [1] = { /* p. 249 */ 825 0xb3,0x74,0x95,0x46, 0x81,0xcf,0xc9,0x5b, 826 0x8d,0xb8,0x39,0x52, 0x8c,0x71,0x08,0x83, 827 0x5e,0xb4,0xf3,0x0a, 0xd9,0x1c,0xbe,0x9e, 828 0xa0,0xd5,0x45,0xcc, 0xfd,0x18,0x13,0x2a, 829 0xf1,0xd3,0x76,0x8f, 0x47,0x02,0x77,0x2b, 830 0x69,0x15,0x9f,0x2c, 0xc0,0x7f,0x48,0x74, 831 0x1e,0xb5,0xb2,0xb1, 0x22,0x11,0x25, 832 }, 833 [2] = { /* p. 254 */ 834 0xbf,0xe3,0xd6,0x81, 0xa2,0x0f,0xbe,0x39, 835 0x03,0x8f,0x4d,0x66, 0x77,0x7c,0x1b,0xe5, 836 0x79,0xee,0xb4,0x85, 0x7b,0x42,0xf2,0x1c, 837 0x3f,0x59,0x8b,0x59, 0x62,0xb7,0xaa,0x48, 838 0x0e,0xa5,0x65,0xfe, 0xea,0xbd,0xfb,0xd6, 839 0xa7,0xec,0xcb,0x96, 0x02,0xc1,0x4b,0xfa, 840 0x30,0xf0,0xf9,0x81, 0x90,0x0c,0xd0, 841 }, 842 }, 843 .rnd_val = { 844 [0] = { /* p. 249 */ 845 0x11,0x60,0x1b,0x72, 0xca,0x60,0x89,0x73, 846 0x6b,0x20,0x47,0x44, 0xb2,0x9d,0xa1,0xaa, 847 0xaf,0xba,0xca,0xa5, 0x28,0x8f,0x06,0xbe, 848 0x48,0x45,0x69,0xcc, 0xed,0xbe,0xce,0x03, 849 0xe8,0x22,0xea,0xa5, 0xb1,0x4f,0x0e,0x04, 850 0x94,0x8c,0x05,0xcd, 0x3c,0xc2,0xe2,0x88, 851 0x9a,0x89,0xfa,0x03, 0xd6,0x5d,0x4d,0x74, 852 0xac,0x50,0xff,0x6b, 0xd8,0x56,0xe5,0x79, 853 }, 854 [1] = { /* p. 255 */ 855 0x05,0x5b,0xc1,0x28, 0xcc,0x2d,0x0e,0x25, 856 0x0f,0x47,0xe4,0xe4, 0xf5,0x82,0x37,0x5d, 857 0xe3,0xee,0x5e,0x9f, 0xe8,0x31,0x68,0x74, 858 0x97,0xe5,0xaf,0x1e, 0x7c,0xb6,0x9e,0xfd, 859 0xeb,0xd2,0xfd,0x31, 0xc7,0xce,0x2b,0xba, 860 0x0d,0xbc,0x6c,0x74, 0xc8,0xa2,0x0a,0x7d, 861 0x72,0xf6,0x0e,0x6d, 0x9f,0x63,0xed,0x50, 862 0x9e,0x96,0x3e,0x54, 0xa6,0x9e,0x90,0x48, 863 }, 864 }, 865 }, 866 867 [6] = { /* Hash_DRBG.pdf, p. 255 */ 868 .personalization = &kat_personalization, 869 .additional = kat_no_additional, 870 .reseed = true, 871 .C = { /* p. 259 */ 872 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55, 873 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c, 874 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69, 875 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87, 876 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c, 877 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03, 878 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0, 879 }, 880 .V = { 881 [0] = { /* p. 257 */ 882 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69, 883 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0, 884 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63, 885 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4, 886 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8, 887 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35, 888 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca, 889 }, 890 [1] = { /* p. 264 */ 891 0xaa,0x11,0x1b,0x0e, 0xd5,0x6c,0xf4,0xa6, 892 0xcc,0xe4,0xad,0xe7, 0xf1,0x1b,0x06,0x10, 893 0x45,0xbf,0x10,0x92, 0xcb,0xb3,0x8f,0xf3, 894 0x23,0x95,0xea,0x62, 0xd2,0x6b,0x27,0xc8, 895 0x86,0x89,0x45,0xc5, 0x93,0xba,0x70,0xc3, 896 0x84,0xad,0xad,0x45, 0x77,0x1c,0x93,0xb0, 897 0x9c,0x27,0x69,0x07, 0x52,0xd1,0xd8, 898 }, 899 [2] = { /* p. 269 */ 900 0x5f,0x0f,0xd4,0x0c, 0x8c,0x82,0xef,0x41, 901 0x03,0x14,0xb8,0x30, 0xc2,0x0f,0xcc,0xea, 902 0x71,0x59,0x18,0x9a, 0xea,0x13,0xe8,0x48, 903 0x75,0x68,0x68,0x18, 0xcd,0x4f,0x12,0xb9, 904 0xde,0xa8,0x82,0x58, 0x16,0xa4,0x13,0xa2, 905 0x95,0x72,0x5e,0xb3, 0x3e,0x33,0xb9,0xad, 906 0xfe,0xe0,0xb1,0xc2, 0x34,0x0a,0xe0, 907 }, 908 }, 909 .rnd_val = { 910 [0] = { /* p. 264 */ 911 0x7a,0x33,0xd3,0x90, 0x33,0xf8,0x60,0x58, 912 0x9f,0x37,0x5e,0x73, 0x35,0x30,0x75,0x52, 913 0x96,0x58,0xbb,0xed, 0x99,0xc8,0xa0,0xef, 914 0x5e,0x28,0xb3,0x51, 0xb2,0xdf,0x33,0x58, 915 0xb3,0xd8,0x9b,0xac, 0x72,0x25,0xdf,0x9e, 916 0x3b,0xcd,0x08,0x36, 0xb9,0x9b,0x5d,0xbf, 917 0x36,0x3a,0x17,0x0c, 0x7b,0xb9,0xbe,0x41, 918 0xa4,0xaa,0x97,0x44, 0x5e,0xce,0xe4,0x1e, 919 }, 920 [1] = { /* p. 269 */ 921 0x04,0x1a,0xbd,0x94, 0x07,0x9a,0x05,0x71, 922 0x88,0x5f,0x16,0x65, 0x94,0x4e,0x0e,0x7f, 923 0x1b,0xfa,0xcd,0xea, 0xea,0xe9,0xd4,0x4e, 924 0xed,0xc1,0x1f,0xad, 0xd8,0x4c,0x34,0xc7, 925 0xca,0xa7,0x3d,0x09, 0xa0,0x19,0x31,0x93, 926 0xfa,0x40,0xa1,0x9f, 0x64,0x4f,0x04,0x8d, 927 0x2a,0x54,0x17,0x04, 0x25,0x53,0xdf,0x52, 928 0x51,0x74,0x1b,0x40, 0xea,0xcf,0xeb,0x98, 929 }, 930 }, 931 }, 932 933 [7] = { /* Hash_DRBG.pdf, p. 269 */ 934 .personalization = &kat_personalization, 935 .additional = kat_additional, 936 .reseed = true, 937 .C = { /* p. 274 */ 938 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55, 939 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c, 940 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69, 941 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87, 942 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c, 943 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03, 944 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0, 945 }, 946 .V = { 947 [0] = { /* p. 272 */ 948 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69, 949 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0, 950 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63, 951 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4, 952 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8, 953 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35, 954 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca, 955 }, 956 [1] = { /* p. 279 */ 957 0xaa,0xf6,0xb9,0x9b, 0x7f,0x84,0xb0,0x36, 958 0xe1,0xcc,0xbc,0x9d, 0x57,0x3a,0x36,0xb8, 959 0xbd,0xd4,0x7c,0x35, 0x8b,0xb5,0xf3,0xc1, 960 0xd6,0xe7,0x90,0x3a, 0xaa,0x29,0xf1,0xc8, 961 0x7a,0xe6,0x66,0xb8, 0x86,0x93,0xbe,0xf4, 962 0x6c,0x51,0xc2,0x4c, 0x47,0xbe,0xfe,0x4b, 963 0x35,0x75,0x4d,0xcb, 0xfa,0x1e,0x7d, 964 }, 965 [2] = { /* p. 285 */ 966 0x0c,0x75,0x77,0x4d, 0x61,0x02,0x69,0xad, 967 0x5b,0xb4,0xab,0xbb, 0x14,0x83,0x23,0xc9, 968 0x78,0x9f,0x8f,0x76, 0x25,0xcc,0x34,0x33, 969 0x7c,0x03,0x47,0x2d, 0x9a,0x0c,0x4f,0xac, 970 0x30,0xbe,0xd2,0xdd, 0xde,0x64,0xb8,0x7a, 971 0x2c,0x70,0x67,0x52, 0xc2,0x1a,0xc0,0x11, 972 0x27,0x43,0x59,0x2c, 0x4f,0xdf,0x67, 973 }, 974 }, 975 .rnd_val = { /* p. 279 */ 976 [0] = { 977 0x88,0x97,0x32,0x97, 0x5b,0x36,0xe8,0xe2, 978 0xe7,0xb7,0x40,0x50, 0xae,0xa1,0x71,0x39, 979 0xda,0x2b,0x86,0x34, 0xdc,0xe2,0x13,0x3b, 980 0x06,0x34,0x74,0x3f, 0x47,0x75,0x57,0xab, 981 0x7b,0x84,0x4e,0xd3, 0xf2,0xa4,0x6c,0xc6, 982 0x3e,0xb2,0x32,0x86, 0x46,0x4c,0x51,0xd5, 983 0xd7,0x69,0x71,0xc4, 0x7b,0xc5,0xb5,0x5f, 984 0xed,0x72,0xa8,0x04, 0x3c,0xbf,0x66,0x4f, 985 }, 986 [1] = { 987 0xbf,0x49,0xb8,0x89, 0xba,0x98,0x4d,0x34, 988 0x63,0x87,0xe8,0x64, 0x7e,0x98,0xbb,0x99, 989 0xcd,0x41,0xa3,0x2f, 0xbe,0xc1,0xfc,0xb3, 990 0xb6,0xa1,0xb7,0xd9, 0x93,0x2b,0xa7,0xe1, 991 0x1e,0xe6,0xbb,0xd9, 0x24,0x40,0x5a,0x2c, 992 0x7f,0xca,0x89,0x0a, 0x5e,0x9a,0x8d,0xea, 993 0x66,0xac,0x0c,0xac, 0xa0,0xca,0x7b,0xc1, 994 0x8d,0x74,0xfb,0xc0, 0x2a,0x11,0xe4,0x53, 995 }, 996 }, 997 }, 998}; 999 1000#ifdef NIST_HASH_DRBG_DEBUG 1001#define DPRINTF(fmt, ...) \ 1002 printf("%s:%d: " fmt, __func__, __LINE__, ##__VA_ARGS__) 1003#define DUSE(v) 1004#else 1005#define DPRINTF(fmt, ...) 1006#define DUSE(v) (void)(v) 1007#endif 1008 1009#define CHECK(i, name, actual, expected, n) do \ 1010{ \ 1011 CTASSERT(sizeof(actual) == (n)); \ 1012 ok &= check(i, name, actual, expected, (n)); \ 1013} while (0) 1014 1015static bool 1016check(unsigned katno, const char *name, const uint8_t *actual, 1017 const uint8_t *expected, size_t n) 1018{ 1019 bool ok = true; 1020 size_t i; 1021 1022 DUSE(katno); 1023 DUSE(name); 1024 1025 for (i = 0; i < n; i++) { 1026 if (actual[i] != expected[i]) { 1027 DPRINTF("KAT %u %s[%zu] = %02x, expected %02x\n", 1028 katno, name, i, actual[i], expected[i]); 1029 ok = false; 1030 } 1031 } 1032 1033 return ok; 1034} 1035 1036#ifdef NIST_HASH_DRBG_MAIN 1037int 1038main(void) 1039{ 1040 int ret; 1041 1042 ret = nist_hash_drbg_initialize(); 1043 1044 fflush(stdout); 1045 return ret || ferror(stdout); 1046} 1047#endif 1048 1049int 1050nist_hash_drbg_initialize(void) 1051{ 1052 const unsigned truncation[] = { 0, 1, 32, 63 }; 1053 bool ok = true; 1054 size_t i, j; 1055 1056 for (i = 0; i < arraycount(kat); i++) { 1057 for (j = 0; j < arraycount(truncation); j++) { 1058 const unsigned trunc = truncation[j]; 1059 struct nist_hash_drbg drbg, *D = &drbg; 1060 uint8_t rnd_val[64]; 1061 unsigned reseed_counter; 1062 1063 nist_hash_drbg_instantiate(D, 1064 kat_entropy[0], sizeof kat_entropy[0], 1065 kat_nonce, sizeof kat_nonce, 1066 kat[i].personalization->hv_base, 1067 kat[i].personalization->hv_len); 1068 reseed_counter = 1; 1069 CHECK(i, "C", D->C, kat[i].C, SEEDLEN_BYTES); 1070 CHECK(i, "V[0]", D->V, kat[i].V[0], SEEDLEN_BYTES); 1071 if (D->reseed_counter != reseed_counter) { 1072 DPRINTF("bad reseed counter: %u, expected %u", 1073 D->reseed_counter, reseed_counter); 1074 ok = false; 1075 } 1076 1077 if (kat[i].reseed) { 1078 nist_hash_drbg_reseed(D, 1079 kat_entropy[1], sizeof kat_entropy[1], 1080 kat[i].additional[0]->hv_base, 1081 kat[i].additional[0]->hv_len); 1082 } 1083 1084 nist_hash_drbg_generate(D, rnd_val, 1085 sizeof(rnd_val) - trunc, 1086 kat[i].reseed ? 0 : kat[i].additional[0]->hv_base, 1087 kat[i].reseed ? 0 : kat[i].additional[0]->hv_len); 1088 reseed_counter++; 1089 CHECK(i, "V[1]", D->V, kat[i].V[1], SEEDLEN_BYTES); 1090 ASSERT(sizeof(kat[i].rnd_val[0]) - trunc <= 1091 sizeof rnd_val); 1092 check(i, "rnd_val[0]", rnd_val, kat[i].rnd_val[0], 1093 sizeof(kat[i].rnd_val[0]) - trunc); 1094 if (D->reseed_counter != reseed_counter) { 1095 DPRINTF("bad reseed counter: %u, expected %u", 1096 D->reseed_counter, reseed_counter); 1097 ok = false; 1098 } 1099 1100 if (kat[i].reseed) { 1101 nist_hash_drbg_reseed(D, 1102 kat_entropy[2], sizeof kat_entropy[2], 1103 kat[i].additional[1]->hv_base, 1104 kat[i].additional[1]->hv_len); 1105 reseed_counter = 1; 1106 } 1107 1108 nist_hash_drbg_generate(D, rnd_val, 1109 sizeof(rnd_val) - trunc, 1110 kat[i].reseed ? 0 : kat[i].additional[1]->hv_base, 1111 kat[i].reseed ? 0 : kat[i].additional[1]->hv_len); 1112 reseed_counter++; 1113 CHECK(i, "V[2]", D->V, kat[i].V[2], SEEDLEN_BYTES); 1114 ASSERT(sizeof(kat[i].rnd_val[1]) - trunc <= 1115 sizeof rnd_val); 1116 check(i, "rnd_val[1]", rnd_val, kat[i].rnd_val[1], 1117 sizeof(kat[i].rnd_val[1]) - trunc); 1118 if (D->reseed_counter != reseed_counter) { 1119 DPRINTF("bad reseed counter: %u, expected %u", 1120 D->reseed_counter, reseed_counter); 1121 ok = false; 1122 } 1123 1124 nist_hash_drbg_destroy(D); 1125 } 1126 } 1127 1128 if (!ok) 1129 return 1; 1130 return 0; 1131} 1132