1 /* $NetBSD: nist_hash_drbg.c,v 1.3 2019/09/19 18:29:55 riastradh Exp $ */
2
3 /*-
4 * Copyright (c) 2019 The NetBSD Foundation, Inc.
5 * All rights reserved.
6 *
7 * This code is derived from software contributed to The NetBSD Foundation
8 * by Taylor R. Campbell.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 /*
33 * This file implements Hash_DRBG, a `deterministic random bit
34 * generator' (more commonly known in lay terms and in the cryptography
35 * literature as a pseudorandom bit generator or pseudorandom number
36 * generator), described in
37 *
38 * Elaine Barker and John Kelsey, `Recommendation for Random
39 * Number Generation Using Deterministic Random Bit Generators',
40 * NIST SP800-90A, June 2015.
41 *
42 * This code is meant to work in userland or in kernel. For a test
43 * program, compile with -DNIST_HASH_DRBG_MAIN to define a `main'
44 * function; for verbose debugging output, compile with
45 * -DNIST_HASH_DRBG_DEBUG, mainly useful if you need to change
46 * something and have to diagnose what's wrong with the known-answer
47 * tests.
48 */
49
50 #ifdef _KERNEL
51 #include <sys/cdefs.h>
52 __KERNEL_RCSID(0, "$NetBSD: nist_hash_drbg.c,v 1.3 2019/09/19 18:29:55 riastradh Exp $");
53 #endif
54
55 #include <sys/param.h>
56 #include <sys/types.h>
57 #include <sys/sha2.h>
58
59 #ifdef _KERNEL
60 #include <sys/systm.h> /* memcpy */
61 #include <lib/libkern/libkern.h> /* KASSERT */
62 #define ASSERT KASSERT
63 #else
64 #include <assert.h>
65 #include <stdbool.h>
66 #include <stdio.h>
67 #include <string.h>
68 #define ASSERT assert
69 #define CTASSERT __CTASSERT
70 #endif
71
72 #include "nist_hash_drbg.h"
73
74 #define secret /* must not use in variable-time operations; should zero */
75 #define arraycount(A) (sizeof(A)/sizeof(A[0]))
76
77 CTASSERT(0 < NIST_HASH_DRBG_RESEED_INTERVAL);
78 CTASSERT(NIST_HASH_DRBG_RESEED_INTERVAL <= INT_MAX);
79 CTASSERT(NIST_HASH_DRBG_RESEED_INTERVAL <= ~(~0ull << 48));
80
81 /* Instantiation: SHA-256 */
82 #define HASH_LENGTH SHA256_DIGEST_LENGTH
83 #define HASH_CTX SHA256_CTX
84 #define hash_init SHA256_Init
85 #define hash_update SHA256_Update
86 #define hash_final SHA256_Final
87
88 #define SEEDLEN_BYTES NIST_HASH_DRBG_SEEDLEN_BYTES
89
90 struct hvec {
91 const void *hv_base;
92 size_t hv_len;
93 };
94
95 static void hashgen(secret uint8_t *, size_t,
96 const secret uint8_t[SEEDLEN_BYTES]);
97 static void add8(secret uint8_t *, size_t, const secret uint8_t *, size_t);
98 static void hash_df(secret void *, size_t, const struct hvec *, size_t);
99 static void hash_df_block(secret void *, uint8_t, uint8_t[4],
100 const struct hvec *, size_t);
101
102 /* 10.1.1 Hash_DRBG */
103
104 int
nist_hash_drbg_destroy(struct nist_hash_drbg * D)105 nist_hash_drbg_destroy(struct nist_hash_drbg *D)
106 {
107
108 explicit_memset(D, 0, sizeof(*D));
109 D->reseed_counter = UINT_MAX; /* paranoia: make generate fail */
110
111 /* Always return zero for hysterical raisins. (XXX) */
112 return 0;
113 }
114
115 /* 10.1.1.2 Instantiation of Hash_DRBG */
116
117 int
nist_hash_drbg_instantiate(secret struct nist_hash_drbg * D,const secret void * entropy,size_t entropylen,const void * nonce,size_t noncelen,const void * personalization,size_t personalizationlen)118 nist_hash_drbg_instantiate(secret struct nist_hash_drbg *D,
119 const secret void *entropy, size_t entropylen,
120 const void *nonce, size_t noncelen,
121 const void *personalization, size_t personalizationlen)
122 {
123 /*
124 * 1. seed_material = entropy_input || nonce || personalization_string
125 */
126 const struct hvec seed_material[] = {
127 { .hv_base = entropy, .hv_len = entropylen },
128 { .hv_base = nonce, .hv_len = noncelen },
129 { .hv_base = personalization, .hv_len = personalizationlen },
130 };
131
132 /*
133 * 2. seed = Hash_df(seed_material, seedlen)
134 * 3. V = seed
135 */
136 CTASSERT(sizeof D->V == SEEDLEN_BYTES);
137 hash_df(D->V, sizeof D->V, seed_material, arraycount(seed_material));
138
139 /* 4. C = Hash_df((0x00 || V), seedlen) */
140 const struct hvec hv[] = {
141 { .hv_base = (const uint8_t[]) {0x00}, .hv_len = 1 },
142 { .hv_base = D->V, .hv_len = sizeof D->V },
143 };
144 CTASSERT(sizeof D->C == SEEDLEN_BYTES);
145 hash_df(D->C, sizeof D->C, hv, arraycount(hv));
146
147 /* 5. reseed_counter = 1 */
148 D->reseed_counter = 1;
149
150 /* Always return zero for hysterical raisins. (XXX) */
151 return 0;
152 }
153
154 /* 10.1.1.3 Reseeding a Hash_DRBG Instantiation */
155
156 int
nist_hash_drbg_reseed(secret struct nist_hash_drbg * D,const secret void * entropy,size_t entropylen,const void * additional,size_t additionallen)157 nist_hash_drbg_reseed(secret struct nist_hash_drbg *D,
158 const secret void *entropy, size_t entropylen,
159 const void *additional, size_t additionallen)
160 {
161 /* 1. seed_material = 0x01 || V || entropy_input || additional_input */
162 const struct hvec seed_material[] = {
163 { .hv_base = (const uint8_t[]) {0x01}, .hv_len = 1 },
164 { .hv_base = D->V, .hv_len = sizeof D->V },
165 { .hv_base = entropy, .hv_len = entropylen },
166 { .hv_base = additional, .hv_len = additionallen },
167 };
168 uint8_t seed[SEEDLEN_BYTES];
169
170 /*
171 * 2. seed = Hash_df(seed_material, seedlen)
172 * 3. V = seed
173 */
174 CTASSERT(sizeof D->V == SEEDLEN_BYTES);
175 hash_df(seed, sizeof seed, seed_material, arraycount(seed_material));
176 memcpy(D->V, seed, sizeof D->V);
177
178 /* 3. C = Hash_df((0x00 || V), seedlen) */
179 const struct hvec hv[] = {
180 { .hv_base = (const uint8_t[]) {0x00}, .hv_len = 1 },
181 { .hv_base = D->V, .hv_len = sizeof D->V },
182 };
183 CTASSERT(sizeof D->C == SEEDLEN_BYTES);
184 hash_df(D->C, sizeof D->C, hv, arraycount(hv));
185
186 /* 5. reseed_counter = 1 */
187 D->reseed_counter = 1;
188
189 /* Always return zero for hysterical raisins. (XXX) */
190 return 0;
191 }
192
193 /* 10.1.1.4 Generating Pseudorandom Bits Using Hash_DRBG */
194
195 int
nist_hash_drbg_generate(secret struct nist_hash_drbg * D,secret void * output,size_t outputlen,const void * additional,size_t additionallen)196 nist_hash_drbg_generate(secret struct nist_hash_drbg *D,
197 secret void *output, size_t outputlen,
198 const void *additional, size_t additionallen)
199 {
200 secret HASH_CTX ctx;
201 secret uint8_t H[HASH_LENGTH];
202 uint8_t reseed_counter[4];
203
204 ASSERT(outputlen <= NIST_HASH_DRBG_MAX_REQUEST_BYTES);
205
206 /*
207 * 1. If reseed_counter > reseed_interval, then return an
208 * indication that a reseed is required.
209 */
210 if (D->reseed_counter > NIST_HASH_DRBG_RESEED_INTERVAL)
211 return 1;
212
213 /* 2. If (additional_input != Null), then do: */
214 if (additionallen) {
215 /* 2.1 w = Hash(0x02 || V || additional_input) */
216 secret uint8_t w[HASH_LENGTH];
217
218 hash_init(&ctx);
219 hash_update(&ctx, (const uint8_t[]) {0x02}, 1);
220 hash_update(&ctx, D->V, sizeof D->V);
221 hash_update(&ctx, additional, additionallen);
222 hash_final(w, &ctx);
223
224 /* 2.2 V = (V + w) mod 2^seedlen */
225 add8(D->V, sizeof D->V, w, sizeof w);
226
227 explicit_memset(w, 0, sizeof w);
228 }
229
230 /* 3. (returned_bits) = Hashgen(requested_number_of_bits, V) */
231 hashgen(output, outputlen, D->V);
232
233 /* 4. H = Hash(0x03 || V) */
234 hash_init(&ctx);
235 hash_update(&ctx, (const uint8_t[]) {0x03}, 1);
236 hash_update(&ctx, D->V, sizeof D->V);
237 hash_final(H, &ctx);
238
239 /* 5. V = (V + H + C + reseed_counter) mod 2^seedlen */
240 be32enc(reseed_counter, D->reseed_counter);
241 add8(D->V, sizeof D->V, H, sizeof H);
242 add8(D->V, sizeof D->V, D->C, sizeof D->C);
243 add8(D->V, sizeof D->V, reseed_counter, sizeof reseed_counter);
244
245 /* 6. reseed_counter = reseed_counter + 1 */
246 D->reseed_counter++;
247
248 explicit_memset(&ctx, 0, sizeof ctx);
249 explicit_memset(H, 0, sizeof H);
250
251 /* 7. Return SUCCESS, ... */
252 return 0;
253 }
254
255 /*
256 * p := H(V) || H(V + 1) || H(V + 2) || ...
257 */
258 static void
hashgen(secret uint8_t * p,size_t n,const secret uint8_t V[SEEDLEN_BYTES])259 hashgen(secret uint8_t *p, size_t n, const secret uint8_t V[SEEDLEN_BYTES])
260 {
261 secret uint8_t data[SEEDLEN_BYTES];
262 secret HASH_CTX ctx;
263
264 /* Save a copy so that we can increment it. */
265 memcpy(data, V, SEEDLEN_BYTES);
266
267 /* Generate block by block into p directly. */
268 while (HASH_LENGTH <= n) {
269 hash_init(&ctx);
270 hash_update(&ctx, data, SEEDLEN_BYTES);
271 hash_final(p, &ctx);
272
273 p += HASH_LENGTH;
274 n -= HASH_LENGTH;
275 add8(data, sizeof data, (const uint8_t[]) {1}, 1);
276 }
277
278 /*
279 * If any partial block requested, generate a full block and
280 * copy the part we need.
281 */
282 if (n) {
283 secret uint8_t t[HASH_LENGTH];
284
285 hash_init(&ctx);
286 hash_update(&ctx, data, SEEDLEN_BYTES);
287 hash_final(t, &ctx);
288
289 memcpy(p, t, n);
290 explicit_memset(t, 0, sizeof t);
291 }
292
293 explicit_memset(data, 0, sizeof data);
294 explicit_memset(&ctx, 0, sizeof ctx);
295 }
296
297 /*
298 * s := s + a (big-endian, radix-2^8)
299 */
300 static void
add8(secret uint8_t * s,size_t slen,const secret uint8_t * a,size_t alen)301 add8(secret uint8_t *s, size_t slen, const secret uint8_t *a, size_t alen)
302 {
303 const size_t smax = slen - 1, amax = alen - 1;
304 size_t i;
305 secret unsigned c = 0;
306
307 /* 2^8 c + s_i := s_i + a_i + c */
308 for (i = 0; i < MIN(slen, alen); i++) {
309 c += s[smax - i] + a[amax - i];
310 s[smax - i] = c & 0xff;
311 c >>= 8;
312 }
313
314 /* 2^8 c + s_i := s_i + c */
315 for (; i < slen; i++) {
316 c += s[smax - i];
317 s[smax - i] = c & 0xff;
318 c >>= 8;
319 }
320
321 explicit_memset(&c, 0, sizeof c);
322 }
323
324 /* 10.4.1 Derivation Function Using a Hash Function (Hash_df) */
325
326 static void
hash_df(void * h,size_t hlen,const struct hvec * input,size_t inputlen)327 hash_df(void *h, size_t hlen, const struct hvec *input, size_t inputlen)
328 {
329 uint8_t *p = h;
330 size_t n = hlen;
331 uint8_t counter = 1;
332 uint8_t hbits[4];
333
334 ASSERT(hlen <= 255*HASH_LENGTH);
335 ASSERT(hlen <= UINT32_MAX/8);
336 be32enc(hbits, 8*hlen);
337
338 while (HASH_LENGTH <= n) {
339 hash_df_block(p, counter++, hbits, input, inputlen);
340 p += HASH_LENGTH;
341 n -= HASH_LENGTH;
342 }
343
344 if (n) {
345 secret uint8_t t[HASH_LENGTH];
346
347 hash_df_block(t, counter, hbits, input, inputlen);
348 memcpy(p, t, n);
349
350 explicit_memset(t, 0, sizeof t);
351 }
352 }
353
354 static void
hash_df_block(secret void * h,uint8_t counter,uint8_t hbits[4],const struct hvec * input,size_t inputlen)355 hash_df_block(secret void *h, uint8_t counter, uint8_t hbits[4],
356 const struct hvec *input, size_t inputlen)
357 {
358 secret HASH_CTX ctx;
359 size_t i;
360
361 /*
362 * Hash_df Process, step 4.1:
363 * Hash(counter || no_of_bits_to_return || input_string)
364 */
365 hash_init(&ctx);
366 hash_update(&ctx, &counter, 1);
367 hash_update(&ctx, hbits, 4);
368 for (i = 0; i < inputlen; i++) {
369 if (input[i].hv_len)
370 hash_update(&ctx, input[i].hv_base, input[i].hv_len);
371 }
372 hash_final(h, &ctx);
373
374 explicit_memset(&ctx, 0, sizeof ctx);
375 }
376
377 /*
378 * Known-answer test vectors for Hash_DRBG with SHA-256
379 */
380
381 /* Hash_DRBG.PDF, p. 190 */
382 static const uint8_t kat_entropy[3][SEEDLEN_BYTES] = {
383 [0] = {
384 0x00,0x01,0x02,0x03, 0x04,0x05,0x06,0x07,
385 0x08,0x09,0x0a,0x0b, 0x0c,0x0d,0x0e,0x0f,
386 0x10,0x11,0x12,0x13, 0x14,0x15,0x16,0x17,
387 0x18,0x19,0x1a,0x1b, 0x1c,0x1d,0x1e,0x1f,
388 0x20,0x21,0x22,0x23, 0x24,0x25,0x26,0x27,
389 0x28,0x29,0x2a,0x2b, 0x2c,0x2d,0x2e,0x2f,
390 0x30,0x31,0x32,0x33, 0x34,0x35,0x36,
391 },
392 [1] = { /* for reseed1 */
393 0x80,0x81,0x82,0x83, 0x84,0x85,0x86,0x87,
394 0x88,0x89,0x8a,0x8b, 0x8c,0x8d,0x8e,0x8f,
395 0x90,0x91,0x92,0x93, 0x94,0x95,0x96,0x97,
396 0x98,0x99,0x9a,0x9b, 0x9c,0x9d,0x9e,0x9f,
397 0xa0,0xa1,0xa2,0xa3, 0xa4,0xa5,0xa6,0xa7,
398 0xa8,0xa9,0xaa,0xab, 0xac,0xad,0xae,0xaf,
399 0xb0,0xb1,0xb2,0xb3, 0xb4,0xb5,0xb6,
400 },
401 [2] = { /* for reseed2 */
402 0xc0,0xc1,0xc2,0xc3, 0xc4,0xc5,0xc6,0xc7,
403 0xc8,0xc9,0xca,0xcb, 0xcc,0xcd,0xce,0xcf,
404 0xd0,0xd1,0xd2,0xd3, 0xd4,0xd5,0xd6,0xd7,
405 0xd8,0xd9,0xda,0xdb, 0xdc,0xdd,0xde,0xdf,
406 0xe0,0xe1,0xe2,0xe3, 0xe4,0xe5,0xe6,0xe7,
407 0xe8,0xe9,0xea,0xeb, 0xec,0xed,0xee,0xef,
408 0xf0,0xf1,0xf2,0xf3, 0xf4,0xf5,0xf6,
409 },
410 };
411
412 static const uint8_t kat_nonce[] = {
413 0x20,0x21,0x22,0x23, 0x24,0x25,0x26,0x27,
414 };
415
416 static const struct hvec kat_zero = { .hv_base = 0, .hv_len = 0 };
417
418 static const struct hvec kat_personalization = {
419 .hv_len = 55,
420 .hv_base = (const void *)(const uint8_t[]) { /* p. 208 */
421 0x40,0x41,0x42,0x43, 0x44,0x45,0x46,0x47,
422 0x48,0x49,0x4a,0x4b, 0x4c,0x4d,0x4e,0x4f,
423 0x50,0x51,0x52,0x53, 0x54,0x55,0x56,0x57,
424 0x58,0x59,0x5a,0x5b, 0x5c,0x5d,0x5e,0x5f,
425 0x60,0x61,0x62,0x63, 0x64,0x65,0x66,0x67,
426 0x68,0x69,0x6a,0x6b, 0x6c,0x6d,0x6e,0x6f,
427 0x70,0x71,0x72,0x73, 0x74,0x75,0x76,
428 },
429 };
430
431 static const struct hvec *const kat_no_additional[] = {
432 [0] = &kat_zero,
433 [1] = &kat_zero,
434 };
435
436 static const struct hvec *const kat_additional[] = {
437 [0] = &(const struct hvec) {
438 .hv_len = 55,
439 .hv_base = (const void *)(const uint8_t[]) {
440 0x60,0x61,0x62,0x63, 0x64,0x65,0x66,0x67,
441 0x68,0x69,0x6a,0x6b, 0x6c,0x6d,0x6e,0x6f,
442 0x70,0x71,0x72,0x73, 0x74,0x75,0x76,0x77,
443 0x78,0x79,0x7a,0x7b, 0x7c,0x7d,0x7e,0x7f,
444 0x80,0x81,0x82,0x83, 0x84,0x85,0x86,0x87,
445 0x88,0x89,0x8a,0x8b, 0x8c,0x8d,0x8e,0x8f,
446 0x90,0x91,0x92,0x93, 0x94,0x95,0x96,
447 },
448 },
449 [1] = &(const struct hvec) {
450 .hv_len = 55,
451 .hv_base = (const void *)(const uint8_t[]) {
452 0xa0,0xa1,0xa2,0xa3, 0xa4,0xa5,0xa6,0xa7,
453 0xa8,0xa9,0xaa,0xab, 0xac,0xad,0xae,0xaf,
454 0xb0,0xb1,0xb2,0xb3, 0xb4,0xb5,0xb6,0xb7,
455 0xb8,0xb9,0xba,0xbb, 0xbc,0xbd,0xbe,0xbf,
456 0xc0,0xc1,0xc2,0xc3, 0xc4,0xc5,0xc6,0xc7,
457 0xc8,0xc9,0xca,0xcb, 0xcc,0xcd,0xce,0xcf,
458 0xd0,0xd1,0xd2,0xd3, 0xd4,0xd5,0xd6,
459 },
460 },
461 };
462
463 static const struct {
464 const struct hvec *personalization;
465 const struct hvec *const *additional;
466 bool reseed;
467 uint8_t C[SEEDLEN_BYTES];
468 uint8_t V[3][SEEDLEN_BYTES];
469 uint8_t rnd_val[2][64];
470 } kat[] = {
471 [0] = { /* Hash_DRBG.pdf, p. 190 */
472 .personalization = &kat_zero,
473 .additional = kat_no_additional,
474 .reseed = false,
475 .C = { /* p. 193 */
476 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b,
477 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee,
478 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a,
479 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0,
480 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02,
481 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea,
482 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1,
483 },
484 .V = {
485 [0] = { /* p. 192 */
486 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09,
487 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11,
488 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd,
489 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95,
490 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d,
491 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe,
492 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1,
493 },
494 [1] = { /* p. 195 */
495 0x8c,0x9f,0xb2,0x8d, 0x1b,0x5c,0xcc,0xa4,
496 0x7e,0x7c,0xfa,0x66, 0xba,0xce,0x21,0xff,
497 0x26,0x0a,0x16,0xa5, 0xba,0xba,0x7f,0x14,
498 0x4e,0x75,0x79,0x36, 0x8e,0x99,0x55,0xbe,
499 0xfb,0xe7,0x00,0xee, 0xf8,0x72,0x77,0x6b,
500 0x17,0xae,0xff,0xd5, 0x3d,0x76,0xf4,0xe3,
501 0xbe,0x65,0xe8,0xc9, 0x4b,0x70,0x8f,
502 },
503 [2] = { /* p. 197 */
504 0x6d,0xfd,0x97,0x35, 0xff,0x0e,0x0e,0x3f,
505 0xe0,0x52,0x2f,0x58, 0x18,0x8b,0x53,0xed,
506 0x3f,0xf6,0x70,0x05, 0x46,0x52,0x90,0x44,
507 0xb6,0x2b,0xe1,0x7d, 0x1b,0x1c,0x21,0xd0,
508 0x91,0xb0,0x89,0xb1, 0x77,0x47,0x95,0xdb,
509 0x14,0x22,0xa8,0x6c, 0x95,0x46,0x34,0x80,
510 0x76,0xb4,0xb6,0x21, 0xc7,0x2f,0x91,
511 },
512 },
513 .rnd_val = {
514 [0] = {
515 0x77,0xe0,0x5a,0x0e, 0x7d,0xc7,0x8a,0xb5,
516 0xd8,0x93,0x4d,0x5e, 0x93,0xe8,0x2c,0x06,
517 0xa0,0x7c,0x04,0xce, 0xe6,0xc9,0xc5,0x30,
518 0x45,0xee,0xb4,0x85, 0x87,0x27,0x77,0xcf,
519 0x3b,0x3e,0x35,0xc4, 0x74,0xf9,0x76,0xb8,
520 0x94,0xbf,0x30,0x1a, 0x86,0xfa,0x65,0x1f,
521 0x46,0x39,0x70,0xe8, 0x9d,0x4a,0x05,0x34,
522 0xb2,0xec,0xad,0x29, 0xec,0x04,0x4e,0x7e,
523 },
524 {
525 0x5f,0xf4,0xba,0x49, 0x3c,0x40,0xcf,0xff,
526 0x3b,0x01,0xe4,0x72, 0xc5,0x75,0x66,0x8c,
527 0xce,0x38,0x80,0xb9, 0x29,0x0b,0x05,0xbf,
528 0xed,0xe5,0xec,0x96, 0xed,0x5e,0x9b,0x28,
529 0x98,0x50,0x8b,0x09, 0xbc,0x80,0x0e,0xee,
530 0x09,0x9a,0x3c,0x90, 0x60,0x2a,0xbd,0x4b,
531 0x1d,0x4f,0x34,0x3d, 0x49,0x7c,0x60,0x55,
532 0xc8,0x7b,0xb9,0x56, 0xd5,0x3b,0xf3,0x51,
533 },
534 },
535 },
536
537 [1] = { /* Hash_DRBG.pdf, p. 198 */
538 .personalization = &kat_zero,
539 .additional = kat_additional,
540 .reseed = false,
541 .C = { /* p. 201 */
542 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b,
543 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee,
544 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a,
545 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0,
546 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02,
547 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea,
548 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1,
549 },
550 .V = {
551 [0] = { /* p. 200 */
552 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09,
553 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11,
554 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd,
555 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95,
556 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d,
557 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe,
558 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1,
559 },
560 [1] = { /* p. 204 */
561 0x8c,0x9f,0xb2,0x8d, 0x1b,0x5c,0xcc,0xa4,
562 0x7e,0x7c,0xfa,0x66, 0xba,0xce,0x21,0xff,
563 0x26,0x0a,0x16,0xa5, 0xba,0xba,0x7f,0x1f,
564 0xd3,0x3b,0x30,0x79, 0x8f,0xb2,0x9a,0x0f,
565 0xba,0x66,0x65,0x02, 0x7d,0x7f,0x10,0x58,
566 0x71,0xbf,0xb4,0x40, 0xdf,0xbe,0xde,0x81,
567 0xd0,0x4d,0x22,0xdf, 0xf7,0x89,0xe1,
568 },
569 [2] = { /* p. 207 */
570 0x6d,0xfd,0x97,0x35, 0xff,0x0e,0x0e,0x3f,
571 0xe0,0x52,0x2f,0x58, 0x18,0x8b,0x53,0xed,
572 0x3f,0xf6,0x70,0x05, 0x46,0x52,0x90,0xe1,
573 0x7c,0x5a,0xd8,0x2d, 0xa9,0x2a,0x05,0x01,
574 0xaa,0x66,0x3a,0xa6, 0x9f,0xa5,0xa0,0xb0,
575 0x81,0x2b,0x4b,0x4f, 0xaf,0xf3,0xfe,0xce,
576 0x79,0xcc,0xf6,0xaa, 0xde,0xc1,0xd0,
577 },
578 },
579 .rnd_val = {
580 [0] = { /* p. 203 */
581 0x51,0x07,0x24,0xb9, 0x3a,0xe9,0xa1,0x82,
582 0x70,0xe4,0x84,0x73, 0x71,0x1d,0x88,0x24,
583 0x63,0x1b,0xaa,0x7f, 0x1d,0x9a,0xc9,0x28,
584 0x4e,0x7e,0xc8,0xf3, 0x63,0x7f,0x7a,0x74,
585 0x3b,0x36,0x44,0xeb, 0x96,0xc9,0x86,0x27,
586 0xc8,0xfd,0x40,0x5a, 0x7a,0x46,0x03,0xf3,
587 0x8c,0xff,0x7c,0x89, 0xe9,0xc1,0x33,0xf5,
588 0x85,0x1f,0x40,0xe9, 0x20,0x30,0xfe,0xa2,
589 },
590 [1] = { /* p. 206 */
591 0x62,0x53,0xda,0x3a, 0xae,0x8b,0x88,0xa3,
592 0xb7,0x46,0xe4,0xc8, 0xb2,0x63,0x5c,0x54,
593 0x0f,0x6e,0x9e,0xa7, 0x15,0x7e,0xe6,0x9d,
594 0xd7,0x1e,0xfb,0x2e, 0x8f,0xf7,0xbb,0xe1,
595 0xe3,0x33,0x68,0x88, 0x38,0xdd,0x7d,0xe4,
596 0x9c,0xc8,0x89,0x90, 0x30,0x9c,0x96,0xcd,
597 0xb2,0xab,0x92,0x95, 0x74,0x36,0xbf,0x83,
598 0xd1,0xbd,0x83,0x08, 0x19,0xc7,0x48,0xca,
599 },
600 },
601 },
602
603 [2] = { /* Hash_DRBG.pdf, p. 208 */
604 .personalization = &kat_personalization,
605 .additional = kat_no_additional,
606 .reseed = false,
607 .C = { /* p. 211 */
608 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55,
609 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c,
610 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69,
611 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87,
612 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c,
613 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03,
614 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0,
615 },
616 .V = {
617 [0] = { /* p. 210 */
618 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69,
619 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0,
620 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63,
621 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4,
622 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8,
623 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35,
624 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca,
625 },
626 [1] = { /* p. 213 */
627 0xe8,0x5d,0xd8,0xb1, 0xd8,0x6c,0x16,0xbf,
628 0x62,0x8b,0xf3,0xb5, 0xf9,0x97,0x04,0x4d,
629 0x2a,0x69,0x13,0x8c, 0xd6,0xa6,0x6e,0xe7,
630 0x36,0xdb,0xaa,0x3b, 0xf1,0xd0,0x28,0x3b,
631 0x71,0x7b,0x33,0x6e, 0xb3,0xae,0x5b,0xdd,
632 0x04,0x17,0x2e,0xa2, 0x6e,0x5a,0x48,0xf3,
633 0xb3,0xfb,0xab,0xf8, 0x2f,0x76,0x79,
634 },
635 [2] = { /* p. 215 */
636 0x2c,0xd2,0x63,0x2a, 0x89,0xda,0x8c,0x15,
637 0x02,0x14,0x11,0x07, 0xba,0xf5,0x02,0xb9,
638 0x7d,0x38,0xc4,0x48, 0x48,0x08,0x71,0x0a,
639 0x66,0xf8,0x40,0x11, 0xd7,0x02,0x8d,0x14,
640 0xd3,0x15,0x5a,0x73, 0x79,0xad,0xd5,0x3c,
641 0xc8,0xea,0x84,0xd0, 0xfc,0x64,0x1d,0xfc,
642 0x62,0x9e,0x06,0x19, 0x1f,0x5f,0x6d,
643 },
644 },
645 .rnd_val = {
646 [0] = { /* p. 213 */
647 0x4a,0x62,0x66,0x4f, 0x26,0x6e,0xe5,0x37,
648 0xb9,0x0d,0x64,0xb0, 0x5e,0x1d,0x81,0x3d,
649 0x28,0xb1,0x59,0xa9, 0x79,0xf1,0x50,0x9d,
650 0xde,0x31,0xb7,0x1d, 0xa4,0x3d,0x54,0x6e,
651 0xe8,0xe7,0x86,0x78, 0x20,0x2d,0xc2,0x37,
652 0xad,0x4a,0xfe,0x7d, 0xf3,0x10,0xc9,0xa4,
653 0x13,0xe3,0x8a,0xaf, 0x41,0x7d,0x2d,0x22,
654 0x5a,0xa3,0x65,0xec, 0x4a,0x7d,0x29,0x96,
655 },
656 [1] = { /* p. 215 */
657 0x59,0x58,0x3d,0x3c, 0x0a,0xc3,0x71,0x30,
658 0xc4,0x78,0x9a,0x83, 0x11,0xb8,0xca,0x8f,
659 0x98,0x5e,0xf1,0xe8, 0xf9,0x4d,0x95,0x4e,
660 0x32,0xe3,0x44,0xa6, 0x21,0xc2,0x4b,0x2f,
661 0x37,0x1d,0xa9,0xba, 0x3c,0x33,0x15,0x3f,
662 0x09,0xe5,0x51,0x45, 0xe7,0x62,0x92,0x6b,
663 0x73,0xac,0x14,0x7a, 0x1e,0x86,0x31,0xd1,
664 0xcc,0xd0,0x85,0x67, 0xcf,0x67,0x7c,0x72,
665 },
666 },
667 },
668
669 [3] = { /* Hash_DRBG.pdf, p. 215 */
670 .personalization = &kat_personalization,
671 .additional = kat_additional,
672 .reseed = false,
673 .C = { /* p. 220 */
674 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55,
675 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c,
676 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69,
677 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87,
678 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c,
679 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03,
680 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0,
681 },
682 .V = {
683 [0] = { /* p. 218 */
684 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69,
685 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0,
686 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63,
687 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4,
688 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8,
689 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35,
690 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca,
691 },
692 [1] = { /* p. 222 */
693 0xe8,0x5d,0xd8,0xb1, 0xd8,0x6c,0x16,0xbf,
694 0x62,0x8b,0xf3,0xb5, 0xf9,0x97,0x04,0x4d,
695 0x2a,0x69,0x13,0x8c, 0xd6,0xa6,0x6f,0x8c,
696 0xa8,0x7b,0x87,0x43, 0x50,0x20,0x2e,0x1d,
697 0x8a,0xb0,0xb5,0xad, 0x47,0xac,0xc2,0x75,
698 0x40,0x28,0x9f,0xe3, 0xa8,0xe3,0x1f,0x7b,
699 0x56,0x58,0xdd,0xd1, 0x96,0x94,0x89,
700 },
701 [2] = { /* p. 225 */
702 0x2c,0xd2,0x63,0x2a, 0x89,0xda,0x8c,0x15,
703 0x02,0x14,0x11,0x07, 0xba,0xf5,0x02,0xb9,
704 0x7d,0x38,0xc4,0x48, 0x48,0x08,0x71,0xb2,
705 0x77,0xae,0xc7,0xff, 0x8d,0xa2,0x3c,0x71,
706 0xef,0xf5,0x9d,0xc2, 0x4e,0x5e,0x4c,0x7f,
707 0x58,0x47,0xb0,0xc1, 0x2f,0x6a,0x59,0x9e,
708 0x6b,0x2e,0xda,0xc0, 0x30,0x6b,0xcd,
709 },
710 },
711 .rnd_val = { /* p. 222 */
712 [0] = {
713 0xe0,0xb9,0x7c,0x82, 0x12,0x68,0xfd,0x3b,
714 0xb2,0xca,0xbf,0xd1, 0xf9,0x54,0x84,0x78,
715 0xae,0x8a,0x60,0x41, 0x7f,0x7b,0x09,0x4a,
716 0x26,0x13,0x95,0x46, 0x06,0x2b,0x52,0x1c,
717 0xfd,0x33,0xe4,0xe3, 0x9b,0x9d,0xcd,0x0a,
718 0x3d,0xa1,0x52,0x09, 0xc7,0x2a,0xdb,0xe5,
719 0x8c,0x20,0xab,0x34, 0x07,0x02,0x69,0x51,
720 0x29,0x7a,0xd2,0x54, 0x30,0x75,0x53,0xa5,
721 },
722 [1] = { /* p. 225 */
723 0xc1,0xac,0xd3,0xad, 0xa4,0xc8,0xc4,0x95,
724 0xbf,0x17,0x9d,0xb5, 0x98,0x22,0xc3,0x51,
725 0xbc,0x47,0x9a,0xbe, 0x4e,0xb2,0x8f,0x84,
726 0x39,0x57,0xb1,0x1e, 0x3c,0x2b,0xc0,0x48,
727 0x83,0x96,0x42,0x97, 0x97,0x5b,0xd7,0x2d,
728 0x10,0x24,0xab,0xcf, 0x6f,0x66,0x15,0xd7,
729 0xf5,0xb4,0xfd,0x1e, 0x40,0xa6,0x4e,0xeb,
730 0x45,0xba,0x21,0x81, 0xb8,0x39,0x37,0xed,
731 },
732 },
733 },
734
735 [4] = { /* Hash_DRBG.pdf, p. 225 */
736 .personalization = &kat_zero,
737 .additional = kat_no_additional,
738 .reseed = true,
739 .C = { /* p. 229 */
740 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b,
741 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee,
742 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a,
743 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0,
744 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02,
745 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea,
746 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1,
747 },
748 .V = {
749 [0] = { /* p. 227 */
750 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09,
751 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11,
752 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd,
753 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95,
754 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d,
755 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe,
756 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1,
757 },
758 [1] = { /* p. 234 */
759 0x23,0x97,0x6c,0x61, 0x63,0xd7,0xe2,0x4a,
760 0x1a,0x03,0x8f,0x2b, 0x2b,0x64,0x67,0x97,
761 0x50,0xca,0x9e,0xd8, 0xd1,0x40,0x69,0x8d,
762 0x64,0x22,0x39,0x7b, 0x02,0x96,0x9e,0x6e,
763 0xcd,0xd2,0x9d,0xac, 0xc5,0x76,0x7e,0x2c,
764 0xc2,0xd0,0xa1,0x56, 0xc8,0x7a,0xd0,0xb3,
765 0x57,0x89,0x05,0x07, 0xe0,0x37,0x77,
766 },
767 [2] = { /* p. 239 */
768 0x92,0xfb,0x0e,0x48, 0x0e,0x86,0x99,0x13,
769 0xc7,0xad,0x45,0xc7, 0xe3,0xfd,0x46,0x10,
770 0x17,0xe5,0xa6,0xb7, 0x70,0xf3,0x3b,0x31,
771 0x3c,0x38,0x83,0xf1, 0xcc,0x56,0x71,0x89,
772 0x45,0x21,0xf5,0xed, 0xe6,0x2e,0xaa,0xb0,
773 0x83,0xb1,0x41,0xa7, 0x5b,0x5c,0xc0,0x22,
774 0x60,0x5a,0x8a,0x3d, 0xc7,0x1b,0xa7,
775 },
776 },
777 .rnd_val = {
778 [0] = { /* p. 234 */
779 0x92,0x27,0x55,0x23, 0xc7,0x0e,0x56,0x7b,
780 0xcf,0x9b,0x35,0xec, 0x50,0xb9,0x33,0xf8,
781 0x12,0x61,0x6d,0xf5, 0x86,0xb7,0xf7,0x2e,
782 0xe1,0xbc,0x77,0x35, 0xa5,0xc2,0x65,0x43,
783 0x73,0xcb,0xbc,0x72, 0x31,0x6d,0xff,0x84,
784 0x20,0xa3,0x3b,0xf0, 0x2b,0x97,0xac,0x8d,
785 0x19,0x52,0x58,0x3f, 0x27,0x0a,0xcd,0x70,
786 0x05,0xcc,0x02,0x7f, 0x4c,0xf1,0x18,0x7e,
787 },
788 [1] = { /* p. 239 */
789 0x68,0x1a,0x46,0xb2, 0xaa,0x86,0x94,0xa0,
790 0xfe,0x4d,0xee,0xa7, 0x20,0x92,0x7a,0x84,
791 0xea,0xaa,0x98,0x5e, 0x59,0xc1,0x9f,0x8b,
792 0xe0,0x98,0x4d,0x8c, 0xbe,0xf8,0xc6,0x9b,
793 0x75,0x41,0x67,0x64, 0x19,0x46,0xe0,0x40,
794 0xee,0x20,0x43,0xe1, 0xcc,0xb2,0x9d,0xcf,
795 0x06,0x3c,0x0a,0x50, 0x83,0x0e,0x42,0x8e,
796 0x6d,0xca,0x26,0x2e, 0xcd,0x77,0xc5,0x42,
797 },
798 },
799 },
800
801 [5] = { /* Hash_DRBG.pdf, p. 239 */
802 .personalization = &kat_zero,
803 .additional = kat_additional,
804 .reseed = true,
805 .C = { /* p. 243 */
806 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b,
807 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee,
808 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a,
809 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0,
810 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02,
811 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea,
812 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1,
813 },
814 .V = {
815 [0] = { /* p. 242 */
816 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09,
817 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11,
818 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd,
819 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95,
820 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d,
821 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe,
822 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1,
823 },
824 [1] = { /* p. 249 */
825 0xb3,0x74,0x95,0x46, 0x81,0xcf,0xc9,0x5b,
826 0x8d,0xb8,0x39,0x52, 0x8c,0x71,0x08,0x83,
827 0x5e,0xb4,0xf3,0x0a, 0xd9,0x1c,0xbe,0x9e,
828 0xa0,0xd5,0x45,0xcc, 0xfd,0x18,0x13,0x2a,
829 0xf1,0xd3,0x76,0x8f, 0x47,0x02,0x77,0x2b,
830 0x69,0x15,0x9f,0x2c, 0xc0,0x7f,0x48,0x74,
831 0x1e,0xb5,0xb2,0xb1, 0x22,0x11,0x25,
832 },
833 [2] = { /* p. 254 */
834 0xbf,0xe3,0xd6,0x81, 0xa2,0x0f,0xbe,0x39,
835 0x03,0x8f,0x4d,0x66, 0x77,0x7c,0x1b,0xe5,
836 0x79,0xee,0xb4,0x85, 0x7b,0x42,0xf2,0x1c,
837 0x3f,0x59,0x8b,0x59, 0x62,0xb7,0xaa,0x48,
838 0x0e,0xa5,0x65,0xfe, 0xea,0xbd,0xfb,0xd6,
839 0xa7,0xec,0xcb,0x96, 0x02,0xc1,0x4b,0xfa,
840 0x30,0xf0,0xf9,0x81, 0x90,0x0c,0xd0,
841 },
842 },
843 .rnd_val = {
844 [0] = { /* p. 249 */
845 0x11,0x60,0x1b,0x72, 0xca,0x60,0x89,0x73,
846 0x6b,0x20,0x47,0x44, 0xb2,0x9d,0xa1,0xaa,
847 0xaf,0xba,0xca,0xa5, 0x28,0x8f,0x06,0xbe,
848 0x48,0x45,0x69,0xcc, 0xed,0xbe,0xce,0x03,
849 0xe8,0x22,0xea,0xa5, 0xb1,0x4f,0x0e,0x04,
850 0x94,0x8c,0x05,0xcd, 0x3c,0xc2,0xe2,0x88,
851 0x9a,0x89,0xfa,0x03, 0xd6,0x5d,0x4d,0x74,
852 0xac,0x50,0xff,0x6b, 0xd8,0x56,0xe5,0x79,
853 },
854 [1] = { /* p. 255 */
855 0x05,0x5b,0xc1,0x28, 0xcc,0x2d,0x0e,0x25,
856 0x0f,0x47,0xe4,0xe4, 0xf5,0x82,0x37,0x5d,
857 0xe3,0xee,0x5e,0x9f, 0xe8,0x31,0x68,0x74,
858 0x97,0xe5,0xaf,0x1e, 0x7c,0xb6,0x9e,0xfd,
859 0xeb,0xd2,0xfd,0x31, 0xc7,0xce,0x2b,0xba,
860 0x0d,0xbc,0x6c,0x74, 0xc8,0xa2,0x0a,0x7d,
861 0x72,0xf6,0x0e,0x6d, 0x9f,0x63,0xed,0x50,
862 0x9e,0x96,0x3e,0x54, 0xa6,0x9e,0x90,0x48,
863 },
864 },
865 },
866
867 [6] = { /* Hash_DRBG.pdf, p. 255 */
868 .personalization = &kat_personalization,
869 .additional = kat_no_additional,
870 .reseed = true,
871 .C = { /* p. 259 */
872 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55,
873 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c,
874 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69,
875 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87,
876 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c,
877 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03,
878 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0,
879 },
880 .V = {
881 [0] = { /* p. 257 */
882 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69,
883 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0,
884 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63,
885 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4,
886 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8,
887 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35,
888 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca,
889 },
890 [1] = { /* p. 264 */
891 0xaa,0x11,0x1b,0x0e, 0xd5,0x6c,0xf4,0xa6,
892 0xcc,0xe4,0xad,0xe7, 0xf1,0x1b,0x06,0x10,
893 0x45,0xbf,0x10,0x92, 0xcb,0xb3,0x8f,0xf3,
894 0x23,0x95,0xea,0x62, 0xd2,0x6b,0x27,0xc8,
895 0x86,0x89,0x45,0xc5, 0x93,0xba,0x70,0xc3,
896 0x84,0xad,0xad,0x45, 0x77,0x1c,0x93,0xb0,
897 0x9c,0x27,0x69,0x07, 0x52,0xd1,0xd8,
898 },
899 [2] = { /* p. 269 */
900 0x5f,0x0f,0xd4,0x0c, 0x8c,0x82,0xef,0x41,
901 0x03,0x14,0xb8,0x30, 0xc2,0x0f,0xcc,0xea,
902 0x71,0x59,0x18,0x9a, 0xea,0x13,0xe8,0x48,
903 0x75,0x68,0x68,0x18, 0xcd,0x4f,0x12,0xb9,
904 0xde,0xa8,0x82,0x58, 0x16,0xa4,0x13,0xa2,
905 0x95,0x72,0x5e,0xb3, 0x3e,0x33,0xb9,0xad,
906 0xfe,0xe0,0xb1,0xc2, 0x34,0x0a,0xe0,
907 },
908 },
909 .rnd_val = {
910 [0] = { /* p. 264 */
911 0x7a,0x33,0xd3,0x90, 0x33,0xf8,0x60,0x58,
912 0x9f,0x37,0x5e,0x73, 0x35,0x30,0x75,0x52,
913 0x96,0x58,0xbb,0xed, 0x99,0xc8,0xa0,0xef,
914 0x5e,0x28,0xb3,0x51, 0xb2,0xdf,0x33,0x58,
915 0xb3,0xd8,0x9b,0xac, 0x72,0x25,0xdf,0x9e,
916 0x3b,0xcd,0x08,0x36, 0xb9,0x9b,0x5d,0xbf,
917 0x36,0x3a,0x17,0x0c, 0x7b,0xb9,0xbe,0x41,
918 0xa4,0xaa,0x97,0x44, 0x5e,0xce,0xe4,0x1e,
919 },
920 [1] = { /* p. 269 */
921 0x04,0x1a,0xbd,0x94, 0x07,0x9a,0x05,0x71,
922 0x88,0x5f,0x16,0x65, 0x94,0x4e,0x0e,0x7f,
923 0x1b,0xfa,0xcd,0xea, 0xea,0xe9,0xd4,0x4e,
924 0xed,0xc1,0x1f,0xad, 0xd8,0x4c,0x34,0xc7,
925 0xca,0xa7,0x3d,0x09, 0xa0,0x19,0x31,0x93,
926 0xfa,0x40,0xa1,0x9f, 0x64,0x4f,0x04,0x8d,
927 0x2a,0x54,0x17,0x04, 0x25,0x53,0xdf,0x52,
928 0x51,0x74,0x1b,0x40, 0xea,0xcf,0xeb,0x98,
929 },
930 },
931 },
932
933 [7] = { /* Hash_DRBG.pdf, p. 269 */
934 .personalization = &kat_personalization,
935 .additional = kat_additional,
936 .reseed = true,
937 .C = { /* p. 274 */
938 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55,
939 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c,
940 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69,
941 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87,
942 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c,
943 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03,
944 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0,
945 },
946 .V = {
947 [0] = { /* p. 272 */
948 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69,
949 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0,
950 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63,
951 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4,
952 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8,
953 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35,
954 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca,
955 },
956 [1] = { /* p. 279 */
957 0xaa,0xf6,0xb9,0x9b, 0x7f,0x84,0xb0,0x36,
958 0xe1,0xcc,0xbc,0x9d, 0x57,0x3a,0x36,0xb8,
959 0xbd,0xd4,0x7c,0x35, 0x8b,0xb5,0xf3,0xc1,
960 0xd6,0xe7,0x90,0x3a, 0xaa,0x29,0xf1,0xc8,
961 0x7a,0xe6,0x66,0xb8, 0x86,0x93,0xbe,0xf4,
962 0x6c,0x51,0xc2,0x4c, 0x47,0xbe,0xfe,0x4b,
963 0x35,0x75,0x4d,0xcb, 0xfa,0x1e,0x7d,
964 },
965 [2] = { /* p. 285 */
966 0x0c,0x75,0x77,0x4d, 0x61,0x02,0x69,0xad,
967 0x5b,0xb4,0xab,0xbb, 0x14,0x83,0x23,0xc9,
968 0x78,0x9f,0x8f,0x76, 0x25,0xcc,0x34,0x33,
969 0x7c,0x03,0x47,0x2d, 0x9a,0x0c,0x4f,0xac,
970 0x30,0xbe,0xd2,0xdd, 0xde,0x64,0xb8,0x7a,
971 0x2c,0x70,0x67,0x52, 0xc2,0x1a,0xc0,0x11,
972 0x27,0x43,0x59,0x2c, 0x4f,0xdf,0x67,
973 },
974 },
975 .rnd_val = { /* p. 279 */
976 [0] = {
977 0x88,0x97,0x32,0x97, 0x5b,0x36,0xe8,0xe2,
978 0xe7,0xb7,0x40,0x50, 0xae,0xa1,0x71,0x39,
979 0xda,0x2b,0x86,0x34, 0xdc,0xe2,0x13,0x3b,
980 0x06,0x34,0x74,0x3f, 0x47,0x75,0x57,0xab,
981 0x7b,0x84,0x4e,0xd3, 0xf2,0xa4,0x6c,0xc6,
982 0x3e,0xb2,0x32,0x86, 0x46,0x4c,0x51,0xd5,
983 0xd7,0x69,0x71,0xc4, 0x7b,0xc5,0xb5,0x5f,
984 0xed,0x72,0xa8,0x04, 0x3c,0xbf,0x66,0x4f,
985 },
986 [1] = {
987 0xbf,0x49,0xb8,0x89, 0xba,0x98,0x4d,0x34,
988 0x63,0x87,0xe8,0x64, 0x7e,0x98,0xbb,0x99,
989 0xcd,0x41,0xa3,0x2f, 0xbe,0xc1,0xfc,0xb3,
990 0xb6,0xa1,0xb7,0xd9, 0x93,0x2b,0xa7,0xe1,
991 0x1e,0xe6,0xbb,0xd9, 0x24,0x40,0x5a,0x2c,
992 0x7f,0xca,0x89,0x0a, 0x5e,0x9a,0x8d,0xea,
993 0x66,0xac,0x0c,0xac, 0xa0,0xca,0x7b,0xc1,
994 0x8d,0x74,0xfb,0xc0, 0x2a,0x11,0xe4,0x53,
995 },
996 },
997 },
998 };
999
1000 #ifdef NIST_HASH_DRBG_DEBUG
1001 #define DPRINTF(fmt, ...) \
1002 printf("%s:%d: " fmt, __func__, __LINE__, ##__VA_ARGS__)
1003 #define DUSE(v)
1004 #else
1005 #define DPRINTF(fmt, ...)
1006 #define DUSE(v) (void)(v)
1007 #endif
1008
1009 #define CHECK(i, name, actual, expected, n) do \
1010 { \
1011 CTASSERT(sizeof(actual) == (n)); \
1012 ok &= check(i, name, actual, expected, (n)); \
1013 } while (0)
1014
1015 static bool
check(unsigned katno,const char * name,const uint8_t * actual,const uint8_t * expected,size_t n)1016 check(unsigned katno, const char *name, const uint8_t *actual,
1017 const uint8_t *expected, size_t n)
1018 {
1019 bool ok = true;
1020 size_t i;
1021
1022 DUSE(katno);
1023 DUSE(name);
1024
1025 for (i = 0; i < n; i++) {
1026 if (actual[i] != expected[i]) {
1027 DPRINTF("KAT %u %s[%zu] = %02x, expected %02x\n",
1028 katno, name, i, actual[i], expected[i]);
1029 ok = false;
1030 }
1031 }
1032
1033 return ok;
1034 }
1035
1036 #ifdef NIST_HASH_DRBG_MAIN
1037 int
main(void)1038 main(void)
1039 {
1040 int ret;
1041
1042 ret = nist_hash_drbg_initialize();
1043
1044 fflush(stdout);
1045 return ret || ferror(stdout);
1046 }
1047 #endif
1048
1049 int
nist_hash_drbg_initialize(void)1050 nist_hash_drbg_initialize(void)
1051 {
1052 const unsigned truncation[] = { 0, 1, 32, 63 };
1053 bool ok = true;
1054 size_t i, j;
1055
1056 for (i = 0; i < arraycount(kat); i++) {
1057 for (j = 0; j < arraycount(truncation); j++) {
1058 const unsigned trunc = truncation[j];
1059 struct nist_hash_drbg drbg, *D = &drbg;
1060 uint8_t rnd_val[64];
1061 unsigned reseed_counter;
1062
1063 nist_hash_drbg_instantiate(D,
1064 kat_entropy[0], sizeof kat_entropy[0],
1065 kat_nonce, sizeof kat_nonce,
1066 kat[i].personalization->hv_base,
1067 kat[i].personalization->hv_len);
1068 reseed_counter = 1;
1069 CHECK(i, "C", D->C, kat[i].C, SEEDLEN_BYTES);
1070 CHECK(i, "V[0]", D->V, kat[i].V[0], SEEDLEN_BYTES);
1071 if (D->reseed_counter != reseed_counter) {
1072 DPRINTF("bad reseed counter: %u, expected %u",
1073 D->reseed_counter, reseed_counter);
1074 ok = false;
1075 }
1076
1077 if (kat[i].reseed) {
1078 nist_hash_drbg_reseed(D,
1079 kat_entropy[1], sizeof kat_entropy[1],
1080 kat[i].additional[0]->hv_base,
1081 kat[i].additional[0]->hv_len);
1082 }
1083
1084 nist_hash_drbg_generate(D, rnd_val,
1085 sizeof(rnd_val) - trunc,
1086 kat[i].reseed ? 0 : kat[i].additional[0]->hv_base,
1087 kat[i].reseed ? 0 : kat[i].additional[0]->hv_len);
1088 reseed_counter++;
1089 CHECK(i, "V[1]", D->V, kat[i].V[1], SEEDLEN_BYTES);
1090 ASSERT(sizeof(kat[i].rnd_val[0]) - trunc <=
1091 sizeof rnd_val);
1092 check(i, "rnd_val[0]", rnd_val, kat[i].rnd_val[0],
1093 sizeof(kat[i].rnd_val[0]) - trunc);
1094 if (D->reseed_counter != reseed_counter) {
1095 DPRINTF("bad reseed counter: %u, expected %u",
1096 D->reseed_counter, reseed_counter);
1097 ok = false;
1098 }
1099
1100 if (kat[i].reseed) {
1101 nist_hash_drbg_reseed(D,
1102 kat_entropy[2], sizeof kat_entropy[2],
1103 kat[i].additional[1]->hv_base,
1104 kat[i].additional[1]->hv_len);
1105 reseed_counter = 1;
1106 }
1107
1108 nist_hash_drbg_generate(D, rnd_val,
1109 sizeof(rnd_val) - trunc,
1110 kat[i].reseed ? 0 : kat[i].additional[1]->hv_base,
1111 kat[i].reseed ? 0 : kat[i].additional[1]->hv_len);
1112 reseed_counter++;
1113 CHECK(i, "V[2]", D->V, kat[i].V[2], SEEDLEN_BYTES);
1114 ASSERT(sizeof(kat[i].rnd_val[1]) - trunc <=
1115 sizeof rnd_val);
1116 check(i, "rnd_val[1]", rnd_val, kat[i].rnd_val[1],
1117 sizeof(kat[i].rnd_val[1]) - trunc);
1118 if (D->reseed_counter != reseed_counter) {
1119 DPRINTF("bad reseed counter: %u, expected %u",
1120 D->reseed_counter, reseed_counter);
1121 ok = false;
1122 }
1123
1124 nist_hash_drbg_destroy(D);
1125 }
1126 }
1127
1128 if (!ok)
1129 return 1;
1130 return 0;
1131 }
1132