nist_hash_drbg.c revision 1.1.6.2
1 1.1.6.2 martin /* $NetBSD: nist_hash_drbg.c,v 1.1.6.2 2019/09/03 12:20:42 martin Exp $ */ 2 1.1.6.2 martin 3 1.1.6.2 martin /*- 4 1.1.6.2 martin * Copyright (c) 2019 The NetBSD Foundation, Inc. 5 1.1.6.2 martin * All rights reserved. 6 1.1.6.2 martin * 7 1.1.6.2 martin * This code is derived from software contributed to The NetBSD Foundation 8 1.1.6.2 martin * by Taylor R. Campbell. 9 1.1.6.2 martin * 10 1.1.6.2 martin * Redistribution and use in source and binary forms, with or without 11 1.1.6.2 martin * modification, are permitted provided that the following conditions 12 1.1.6.2 martin * are met: 13 1.1.6.2 martin * 1. Redistributions of source code must retain the above copyright 14 1.1.6.2 martin * notice, this list of conditions and the following disclaimer. 15 1.1.6.2 martin * 2. Redistributions in binary form must reproduce the above copyright 16 1.1.6.2 martin * notice, this list of conditions and the following disclaimer in the 17 1.1.6.2 martin * documentation and/or other materials provided with the distribution. 18 1.1.6.2 martin * 19 1.1.6.2 martin * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 1.1.6.2 martin * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 1.1.6.2 martin * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 1.1.6.2 martin * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 1.1.6.2 martin * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 1.1.6.2 martin * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 1.1.6.2 martin * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 1.1.6.2 martin * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 1.1.6.2 martin * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 1.1.6.2 martin * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 1.1.6.2 martin * POSSIBILITY OF SUCH DAMAGE. 30 1.1.6.2 martin */ 31 1.1.6.2 martin 32 1.1.6.2 martin /* 33 1.1.6.2 martin * This file implements Hash_DRBG, a `deterministic random bit 34 1.1.6.2 martin * generator' (more commonly known in lay terms and in the cryptography 35 1.1.6.2 martin * literature as a pseudorandom bit generator or pseudorandom number 36 1.1.6.2 martin * generator), described in 37 1.1.6.2 martin * 38 1.1.6.2 martin * Elaine Barker and John Kelsey, `Recommendation for Random 39 1.1.6.2 martin * Number Generation Using Deterministic Random Bit Generators', 40 1.1.6.2 martin * NIST SP800-90A, June 2015. 41 1.1.6.2 martin * 42 1.1.6.2 martin * This code is meant to work in userland or in kernel. For a test 43 1.1.6.2 martin * program, compile with -DNIST_HASH_DRBG_MAIN to define a `main' 44 1.1.6.2 martin * function; for verbose debugging output, compile with 45 1.1.6.2 martin * -DNIST_HASH_DRBG_DEBUG, mainly useful if you need to change 46 1.1.6.2 martin * something and have to diagnose what's wrong with the known-answer 47 1.1.6.2 martin * tests. 48 1.1.6.2 martin */ 49 1.1.6.2 martin 50 1.1.6.2 martin #ifdef _KERNEL 52 1.1.6.2 martin #include <sys/cdefs.h> 53 1.1.6.2 martin __KERNEL_RCSID(0, "$NetBSD: nist_hash_drbg.c,v 1.1.6.2 2019/09/03 12:20:42 martin Exp $"); 54 1.1.6.2 martin #endif 55 1.1.6.2 martin 56 1.1.6.2 martin #include <sys/param.h> 57 1.1.6.2 martin #include <sys/types.h> 58 1.1.6.2 martin #include <sys/sha2.h> 59 1.1.6.2 martin 60 1.1.6.2 martin #ifdef _KERNEL 61 1.1.6.2 martin #include <sys/systm.h> /* memcpy */ 62 1.1.6.2 martin #include <lib/libkern/libkern.h> /* KASSERT */ 63 1.1.6.2 martin #define ASSERT KASSERT 64 1.1.6.2 martin #else 65 1.1.6.2 martin #include <assert.h> 66 1.1.6.2 martin #include <stdbool.h> 67 1.1.6.2 martin #include <stdio.h> 68 1.1.6.2 martin #include <string.h> 69 1.1.6.2 martin #define ASSERT assert 70 1.1.6.2 martin #define CTASSERT __CTASSERT 71 1.1.6.2 martin #endif 72 1.1.6.2 martin 73 1.1.6.2 martin #include "nist_hash_drbg.h" 74 1.1.6.2 martin 75 1.1.6.2 martin #define secret /* must not use in variable-time operations; should zero */ 76 1.1.6.2 martin #define arraycount(A) (sizeof(A)/sizeof(A[0])) 77 1.1.6.2 martin 78 1.1.6.2 martin CTASSERT(0 < NIST_HASH_DRBG_RESEED_INTERVAL); 79 1.1.6.2 martin CTASSERT(NIST_HASH_DRBG_RESEED_INTERVAL <= INT_MAX); 80 1.1.6.2 martin CTASSERT(NIST_HASH_DRBG_RESEED_INTERVAL <= ~(~0ull << 48)); 81 1.1.6.2 martin 82 1.1.6.2 martin /* Instantiation: SHA-256 */ 83 1.1.6.2 martin #define HASH_LENGTH SHA256_DIGEST_LENGTH 84 1.1.6.2 martin #define HASH_CTX SHA256_CTX 85 1.1.6.2 martin #define hash_init SHA256_Init 86 1.1.6.2 martin #define hash_update SHA256_Update 87 1.1.6.2 martin #define hash_final SHA256_Final 88 1.1.6.2 martin 89 1.1.6.2 martin #define SEEDLEN_BYTES NIST_HASH_DRBG_SEEDLEN_BYTES 90 1.1.6.2 martin 91 1.1.6.2 martin struct hvec { 92 1.1.6.2 martin const void *hv_base; 93 1.1.6.2 martin size_t hv_len; 94 1.1.6.2 martin }; 95 1.1.6.2 martin 96 1.1.6.2 martin static void hashgen(secret uint8_t *, size_t, 97 1.1.6.2 martin const secret uint8_t[SEEDLEN_BYTES]); 98 1.1.6.2 martin static void add8(secret uint8_t *, size_t, const secret uint8_t *, size_t); 99 1.1.6.2 martin static void hash_df(secret void *, size_t, const struct hvec *, size_t); 100 1.1.6.2 martin static void hash_df_block(secret void *, uint8_t, uint8_t[4], 101 1.1.6.2 martin const struct hvec *, size_t); 102 1.1.6.2 martin 103 1.1.6.2 martin /* 10.1.1 Hash_DRBG */ 105 1.1.6.2 martin 106 1.1.6.2 martin int 107 1.1.6.2 martin nist_hash_drbg_destroy(struct nist_hash_drbg *D) 108 1.1.6.2 martin { 109 1.1.6.2 martin 110 1.1.6.2 martin explicit_memset(D, 0, sizeof(*D)); 111 1.1.6.2 martin D->reseed_counter = UINT_MAX; /* paranoia: make generate fail */ 112 1.1.6.2 martin 113 1.1.6.2 martin /* Always return zero for hysterical raisins. (XXX) */ 114 1.1.6.2 martin return 0; 115 1.1.6.2 martin } 116 1.1.6.2 martin 117 1.1.6.2 martin /* 10.1.1.2 Instantiation of Hash_DRBG */ 118 1.1.6.2 martin 119 1.1.6.2 martin int 120 1.1.6.2 martin nist_hash_drbg_instantiate(secret struct nist_hash_drbg *D, 121 1.1.6.2 martin const secret void *entropy, size_t entropylen, 122 1.1.6.2 martin const void *nonce, size_t noncelen, 123 1.1.6.2 martin const void *personalization, size_t personalizationlen) 124 1.1.6.2 martin { 125 1.1.6.2 martin /* 126 1.1.6.2 martin * 1. seed_material = entropy_input || nonce || personalization_string 127 1.1.6.2 martin */ 128 1.1.6.2 martin const struct hvec seed_material[] = { 129 1.1.6.2 martin { .hv_base = entropy, .hv_len = entropylen }, 130 1.1.6.2 martin { .hv_base = nonce, .hv_len = noncelen }, 131 1.1.6.2 martin { .hv_base = personalization, .hv_len = personalizationlen }, 132 1.1.6.2 martin }; 133 1.1.6.2 martin 134 1.1.6.2 martin /* 135 1.1.6.2 martin * 2. seed = Hash_df(seed_material, seedlen) 136 1.1.6.2 martin * 3. V = seed 137 1.1.6.2 martin */ 138 1.1.6.2 martin CTASSERT(sizeof D->V == SEEDLEN_BYTES); 139 1.1.6.2 martin hash_df(D->V, sizeof D->V, seed_material, arraycount(seed_material)); 140 1.1.6.2 martin 141 1.1.6.2 martin /* 4. C = Hash_df((0x00 || V), seedlen) */ 142 1.1.6.2 martin const struct hvec hv[] = { 143 1.1.6.2 martin { .hv_base = (const uint8_t[]) {0x00}, .hv_len = 1 }, 144 1.1.6.2 martin { .hv_base = D->V, .hv_len = sizeof D->V }, 145 1.1.6.2 martin }; 146 1.1.6.2 martin CTASSERT(sizeof D->C == SEEDLEN_BYTES); 147 1.1.6.2 martin hash_df(D->C, sizeof D->C, hv, arraycount(hv)); 148 1.1.6.2 martin 149 1.1.6.2 martin /* 5. reseed_counter = 1 */ 150 1.1.6.2 martin D->reseed_counter = 1; 151 1.1.6.2 martin 152 1.1.6.2 martin /* Always return zero for hysterical raisins. (XXX) */ 153 1.1.6.2 martin return 0; 154 1.1.6.2 martin } 155 1.1.6.2 martin 156 1.1.6.2 martin /* 10.1.1.3 Reseeding a Hash_DRBG Instantiation */ 158 1.1.6.2 martin 159 1.1.6.2 martin int 160 1.1.6.2 martin nist_hash_drbg_reseed(secret struct nist_hash_drbg *D, 161 1.1.6.2 martin const secret void *entropy, size_t entropylen, 162 1.1.6.2 martin const void *additional, size_t additionallen) 163 1.1.6.2 martin { 164 1.1.6.2 martin /* 1. seed_material = 0x01 || V || entropy_input || additional_input */ 165 1.1.6.2 martin const struct hvec seed_material[] = { 166 1.1.6.2 martin { .hv_base = (const uint8_t[]) {0x01}, .hv_len = 1 }, 167 1.1.6.2 martin { .hv_base = D->V, .hv_len = sizeof D->V }, 168 1.1.6.2 martin { .hv_base = entropy, .hv_len = entropylen }, 169 1.1.6.2 martin { .hv_base = additional, .hv_len = additionallen }, 170 1.1.6.2 martin }; 171 1.1.6.2 martin uint8_t seed[SEEDLEN_BYTES]; 172 1.1.6.2 martin 173 1.1.6.2 martin /* 174 1.1.6.2 martin * 2. seed = Hash_df(seed_material, seedlen) 175 1.1.6.2 martin * 3. V = seed 176 1.1.6.2 martin */ 177 1.1.6.2 martin CTASSERT(sizeof D->V == SEEDLEN_BYTES); 178 1.1.6.2 martin hash_df(seed, sizeof seed, seed_material, arraycount(seed_material)); 179 1.1.6.2 martin memcpy(D->V, seed, sizeof D->V); 180 1.1.6.2 martin 181 1.1.6.2 martin /* 3. C = Hash_df((0x00 || V), seedlen) */ 182 1.1.6.2 martin const struct hvec hv[] = { 183 1.1.6.2 martin { .hv_base = (const uint8_t[]) {0x00}, .hv_len = 1 }, 184 1.1.6.2 martin { .hv_base = D->V, .hv_len = sizeof D->V }, 185 1.1.6.2 martin }; 186 1.1.6.2 martin CTASSERT(sizeof D->C == SEEDLEN_BYTES); 187 1.1.6.2 martin hash_df(D->C, sizeof D->C, hv, arraycount(hv)); 188 1.1.6.2 martin 189 1.1.6.2 martin /* 5. reseed_counter = 1 */ 190 1.1.6.2 martin D->reseed_counter = 1; 191 1.1.6.2 martin 192 1.1.6.2 martin /* Always return zero for hysterical raisins. (XXX) */ 193 1.1.6.2 martin return 0; 194 1.1.6.2 martin } 195 1.1.6.2 martin 196 1.1.6.2 martin /* 10.1.1.4 Generating Pseudorandom Bits Using Hash_DRBG */ 198 1.1.6.2 martin 199 1.1.6.2 martin int 200 1.1.6.2 martin nist_hash_drbg_generate(secret struct nist_hash_drbg *D, 201 1.1.6.2 martin secret void *output, size_t outputlen, 202 1.1.6.2 martin const void *additional, size_t additionallen) 203 1.1.6.2 martin { 204 1.1.6.2 martin secret HASH_CTX ctx; 205 1.1.6.2 martin secret uint8_t H[HASH_LENGTH]; 206 1.1.6.2 martin uint8_t reseed_counter[4]; 207 1.1.6.2 martin 208 1.1.6.2 martin ASSERT(outputlen <= NIST_HASH_DRBG_MAX_REQUEST_BYTES); 209 1.1.6.2 martin 210 1.1.6.2 martin /* 211 1.1.6.2 martin * 1. If reseed_counter > reseed_interval, then return an 212 1.1.6.2 martin * indication that a reseed is required. 213 1.1.6.2 martin */ 214 1.1.6.2 martin if (D->reseed_counter > NIST_HASH_DRBG_RESEED_INTERVAL) 215 1.1.6.2 martin return 1; 216 1.1.6.2 martin 217 1.1.6.2 martin /* 2. If (additional_input != Null), then do: */ 218 1.1.6.2 martin if (additionallen) { 219 1.1.6.2 martin /* 2.1 w = Hash(0x02 || V || additional_input) */ 220 1.1.6.2 martin secret uint8_t w[HASH_LENGTH]; 221 1.1.6.2 martin 222 1.1.6.2 martin hash_init(&ctx); 223 1.1.6.2 martin hash_update(&ctx, (const uint8_t[]) {0x02}, 1); 224 1.1.6.2 martin hash_update(&ctx, D->V, sizeof D->V); 225 1.1.6.2 martin hash_update(&ctx, additional, additionallen); 226 1.1.6.2 martin hash_final(w, &ctx); 227 1.1.6.2 martin 228 1.1.6.2 martin /* 2.2 V = (V + w) mod 2^seedlen */ 229 1.1.6.2 martin add8(D->V, sizeof D->V, w, sizeof w); 230 1.1.6.2 martin 231 1.1.6.2 martin explicit_memset(w, 0, sizeof w); 232 1.1.6.2 martin } 233 1.1.6.2 martin 234 1.1.6.2 martin /* 3. (returned_bits) = Hashgen(requested_number_of_bits, V) */ 235 1.1.6.2 martin hashgen(output, outputlen, D->V); 236 1.1.6.2 martin 237 1.1.6.2 martin /* 4. H = Hash(0x03 || V) */ 238 1.1.6.2 martin hash_init(&ctx); 239 1.1.6.2 martin hash_update(&ctx, (const uint8_t[]) {0x03}, 1); 240 1.1.6.2 martin hash_update(&ctx, D->V, sizeof D->V); 241 1.1.6.2 martin hash_final(H, &ctx); 242 1.1.6.2 martin 243 1.1.6.2 martin /* 5. V = (V + H + C + reseed_counter) mod 2^seedlen */ 244 1.1.6.2 martin be32enc(reseed_counter, D->reseed_counter); 245 1.1.6.2 martin add8(D->V, sizeof D->V, H, sizeof H); 246 1.1.6.2 martin add8(D->V, sizeof D->V, D->C, sizeof D->C); 247 1.1.6.2 martin add8(D->V, sizeof D->V, reseed_counter, sizeof reseed_counter); 248 1.1.6.2 martin 249 1.1.6.2 martin /* 6. reseed_counter = reseed_counter + 1 */ 250 1.1.6.2 martin D->reseed_counter++; 251 1.1.6.2 martin 252 1.1.6.2 martin explicit_memset(&ctx, 0, sizeof ctx); 253 1.1.6.2 martin explicit_memset(H, 0, sizeof H); 254 1.1.6.2 martin 255 1.1.6.2 martin /* 7. Return SUCCESS, ... */ 256 1.1.6.2 martin return 0; 257 1.1.6.2 martin } 258 1.1.6.2 martin 259 1.1.6.2 martin /* 261 1.1.6.2 martin * p := H(V) || H(V + 1) || H(V + 2) || ... 262 1.1.6.2 martin */ 263 1.1.6.2 martin static void 264 1.1.6.2 martin hashgen(secret uint8_t *p, size_t n, const secret uint8_t V[SEEDLEN_BYTES]) 265 1.1.6.2 martin { 266 1.1.6.2 martin secret uint8_t data[SEEDLEN_BYTES]; 267 1.1.6.2 martin secret HASH_CTX ctx; 268 1.1.6.2 martin 269 1.1.6.2 martin /* Save a copy so that we can increment it. */ 270 1.1.6.2 martin memcpy(data, V, SEEDLEN_BYTES); 271 1.1.6.2 martin 272 1.1.6.2 martin /* Generate block by block into p directly. */ 273 1.1.6.2 martin while (HASH_LENGTH <= n) { 274 1.1.6.2 martin hash_init(&ctx); 275 1.1.6.2 martin hash_update(&ctx, data, SEEDLEN_BYTES); 276 1.1.6.2 martin hash_final(p, &ctx); 277 1.1.6.2 martin 278 1.1.6.2 martin p += HASH_LENGTH; 279 1.1.6.2 martin n -= HASH_LENGTH; 280 1.1.6.2 martin add8(data, sizeof data, (const uint8_t[]) {1}, 1); 281 1.1.6.2 martin } 282 1.1.6.2 martin 283 1.1.6.2 martin /* 284 1.1.6.2 martin * If any partial block requested, generate a full block and 285 1.1.6.2 martin * copy the part we need. 286 1.1.6.2 martin */ 287 1.1.6.2 martin if (n) { 288 1.1.6.2 martin secret uint8_t t[HASH_LENGTH]; 289 1.1.6.2 martin 290 1.1.6.2 martin hash_init(&ctx); 291 1.1.6.2 martin hash_update(&ctx, data, SEEDLEN_BYTES); 292 1.1.6.2 martin hash_final(t, &ctx); 293 1.1.6.2 martin 294 1.1.6.2 martin memcpy(p, t, n); 295 1.1.6.2 martin explicit_memset(t, 0, sizeof t); 296 1.1.6.2 martin } 297 1.1.6.2 martin 298 1.1.6.2 martin explicit_memset(data, 0, sizeof data); 299 1.1.6.2 martin explicit_memset(&ctx, 0, sizeof ctx); 300 1.1.6.2 martin } 301 1.1.6.2 martin 302 1.1.6.2 martin /* 303 1.1.6.2 martin * s := s + a (big-endian, radix-2^8) 304 1.1.6.2 martin */ 305 1.1.6.2 martin static void 306 1.1.6.2 martin add8(secret uint8_t *s, size_t slen, const secret uint8_t *a, size_t alen) 307 1.1.6.2 martin { 308 1.1.6.2 martin const size_t smax = slen - 1, amax = alen - 1; 309 1.1.6.2 martin size_t i; 310 1.1.6.2 martin secret unsigned c = 0; 311 1.1.6.2 martin 312 1.1.6.2 martin /* 2^8 c + s_i := s_i + a_i + c */ 313 1.1.6.2 martin for (i = 0; i < MIN(slen, alen); i++) { 314 1.1.6.2 martin c += s[smax - i] + a[amax - i]; 315 1.1.6.2 martin s[smax - i] = c & 0xff; 316 1.1.6.2 martin c >>= 8; 317 1.1.6.2 martin } 318 1.1.6.2 martin 319 1.1.6.2 martin /* 2^8 c + s_i := s_i + c */ 320 1.1.6.2 martin for (; i < slen; i++) { 321 1.1.6.2 martin c += s[smax - i]; 322 1.1.6.2 martin s[smax - i] = c & 0xff; 323 1.1.6.2 martin c >>= 8; 324 1.1.6.2 martin } 325 1.1.6.2 martin 326 1.1.6.2 martin explicit_memset(&c, 0, sizeof c); 327 1.1.6.2 martin } 328 1.1.6.2 martin 329 1.1.6.2 martin /* 10.4.1 Derivation Function Using a Hash Function (Hash_df) */ 331 1.1.6.2 martin 332 1.1.6.2 martin static void 333 1.1.6.2 martin hash_df(void *h, size_t hlen, const struct hvec *input, size_t inputlen) 334 1.1.6.2 martin { 335 1.1.6.2 martin uint8_t *p = h; 336 1.1.6.2 martin size_t n = hlen; 337 1.1.6.2 martin uint8_t counter = 1; 338 1.1.6.2 martin uint8_t hbits[4]; 339 1.1.6.2 martin 340 1.1.6.2 martin ASSERT(hlen <= 255*HASH_LENGTH); 341 1.1.6.2 martin ASSERT(hlen <= UINT32_MAX/8); 342 1.1.6.2 martin be32enc(hbits, 8*hlen); 343 1.1.6.2 martin 344 1.1.6.2 martin while (HASH_LENGTH <= n) { 345 1.1.6.2 martin hash_df_block(p, counter++, hbits, input, inputlen); 346 1.1.6.2 martin p += HASH_LENGTH; 347 1.1.6.2 martin n -= HASH_LENGTH; 348 1.1.6.2 martin } 349 1.1.6.2 martin 350 1.1.6.2 martin if (n) { 351 1.1.6.2 martin secret uint8_t t[HASH_LENGTH]; 352 1.1.6.2 martin 353 1.1.6.2 martin hash_df_block(t, counter, hbits, input, inputlen); 354 1.1.6.2 martin memcpy(p, t, n); 355 1.1.6.2 martin 356 1.1.6.2 martin explicit_memset(t, 0, sizeof t); 357 1.1.6.2 martin } 358 1.1.6.2 martin } 359 1.1.6.2 martin 360 1.1.6.2 martin static void 361 1.1.6.2 martin hash_df_block(secret void *h, uint8_t counter, uint8_t hbits[4], 362 1.1.6.2 martin const struct hvec *input, size_t inputlen) 363 1.1.6.2 martin { 364 1.1.6.2 martin secret HASH_CTX ctx; 365 1.1.6.2 martin size_t i; 366 1.1.6.2 martin 367 1.1.6.2 martin /* 368 1.1.6.2 martin * Hash_df Process, step 4.1: 369 1.1.6.2 martin * Hash(counter || no_of_bits_to_return || input_string) 370 1.1.6.2 martin */ 371 1.1.6.2 martin hash_init(&ctx); 372 1.1.6.2 martin hash_update(&ctx, &counter, 1); 373 1.1.6.2 martin hash_update(&ctx, hbits, 4); 374 1.1.6.2 martin for (i = 0; i < inputlen; i++) { 375 1.1.6.2 martin if (input[i].hv_len) 376 1.1.6.2 martin hash_update(&ctx, input[i].hv_base, input[i].hv_len); 377 1.1.6.2 martin } 378 1.1.6.2 martin hash_final(h, &ctx); 379 1.1.6.2 martin 380 1.1.6.2 martin explicit_memset(&ctx, 0, sizeof ctx); 381 1.1.6.2 martin } 382 1.1.6.2 martin 383 1.1.6.2 martin /* 385 1.1.6.2 martin * Known-answer test vectors for Hash_DRBG with SHA-256 386 1.1.6.2 martin */ 387 1.1.6.2 martin 388 1.1.6.2 martin /* Hash_DRBG.PDF, p. 190 */ 389 1.1.6.2 martin static const uint8_t kat_entropy[3][SEEDLEN_BYTES] = { 390 1.1.6.2 martin [0] = { 391 1.1.6.2 martin 0x00,0x01,0x02,0x03, 0x04,0x05,0x06,0x07, 392 1.1.6.2 martin 0x08,0x09,0x0a,0x0b, 0x0c,0x0d,0x0e,0x0f, 393 1.1.6.2 martin 0x10,0x11,0x12,0x13, 0x14,0x15,0x16,0x17, 394 1.1.6.2 martin 0x18,0x19,0x1a,0x1b, 0x1c,0x1d,0x1e,0x1f, 395 1.1.6.2 martin 0x20,0x21,0x22,0x23, 0x24,0x25,0x26,0x27, 396 1.1.6.2 martin 0x28,0x29,0x2a,0x2b, 0x2c,0x2d,0x2e,0x2f, 397 1.1.6.2 martin 0x30,0x31,0x32,0x33, 0x34,0x35,0x36, 398 1.1.6.2 martin }, 399 1.1.6.2 martin [1] = { /* for reseed1 */ 400 1.1.6.2 martin 0x80,0x81,0x82,0x83, 0x84,0x85,0x86,0x87, 401 1.1.6.2 martin 0x88,0x89,0x8a,0x8b, 0x8c,0x8d,0x8e,0x8f, 402 1.1.6.2 martin 0x90,0x91,0x92,0x93, 0x94,0x95,0x96,0x97, 403 1.1.6.2 martin 0x98,0x99,0x9a,0x9b, 0x9c,0x9d,0x9e,0x9f, 404 1.1.6.2 martin 0xa0,0xa1,0xa2,0xa3, 0xa4,0xa5,0xa6,0xa7, 405 1.1.6.2 martin 0xa8,0xa9,0xaa,0xab, 0xac,0xad,0xae,0xaf, 406 1.1.6.2 martin 0xb0,0xb1,0xb2,0xb3, 0xb4,0xb5,0xb6, 407 1.1.6.2 martin }, 408 1.1.6.2 martin [2] = { /* for reseed2 */ 409 1.1.6.2 martin 0xc0,0xc1,0xc2,0xc3, 0xc4,0xc5,0xc6,0xc7, 410 1.1.6.2 martin 0xc8,0xc9,0xca,0xcb, 0xcc,0xcd,0xce,0xcf, 411 1.1.6.2 martin 0xd0,0xd1,0xd2,0xd3, 0xd4,0xd5,0xd6,0xd7, 412 1.1.6.2 martin 0xd8,0xd9,0xda,0xdb, 0xdc,0xdd,0xde,0xdf, 413 1.1.6.2 martin 0xe0,0xe1,0xe2,0xe3, 0xe4,0xe5,0xe6,0xe7, 414 1.1.6.2 martin 0xe8,0xe9,0xea,0xeb, 0xec,0xed,0xee,0xef, 415 1.1.6.2 martin 0xf0,0xf1,0xf2,0xf3, 0xf4,0xf5,0xf6, 416 1.1.6.2 martin }, 417 1.1.6.2 martin }; 418 1.1.6.2 martin 419 1.1.6.2 martin static const uint8_t kat_nonce[] = { 420 1.1.6.2 martin 0x20,0x21,0x22,0x23, 0x24,0x25,0x26,0x27, 421 1.1.6.2 martin }; 422 1.1.6.2 martin 423 1.1.6.2 martin static const struct hvec kat_zero = { .hv_base = 0, .hv_len = 0 }; 424 1.1.6.2 martin 425 1.1.6.2 martin static const struct hvec kat_personalization = { 427 1.1.6.2 martin .hv_len = 55, 428 1.1.6.2 martin .hv_base = (const void *)(const uint8_t[]) { /* p. 208 */ 429 1.1.6.2 martin 0x40,0x41,0x42,0x43, 0x44,0x45,0x46,0x47, 430 1.1.6.2 martin 0x48,0x49,0x4a,0x4b, 0x4c,0x4d,0x4e,0x4f, 431 1.1.6.2 martin 0x50,0x51,0x52,0x53, 0x54,0x55,0x56,0x57, 432 1.1.6.2 martin 0x58,0x59,0x5a,0x5b, 0x5c,0x5d,0x5e,0x5f, 433 1.1.6.2 martin 0x60,0x61,0x62,0x63, 0x64,0x65,0x66,0x67, 434 1.1.6.2 martin 0x68,0x69,0x6a,0x6b, 0x6c,0x6d,0x6e,0x6f, 435 1.1.6.2 martin 0x70,0x71,0x72,0x73, 0x74,0x75,0x76, 436 1.1.6.2 martin }, 437 1.1.6.2 martin }; 438 1.1.6.2 martin 439 1.1.6.2 martin static const struct hvec *const kat_no_additional[] = { 440 1.1.6.2 martin [0] = &kat_zero, 441 1.1.6.2 martin [1] = &kat_zero, 442 1.1.6.2 martin }; 443 1.1.6.2 martin 444 1.1.6.2 martin static const struct hvec *const kat_additional[] = { 445 1.1.6.2 martin [0] = &(const struct hvec) { 446 1.1.6.2 martin .hv_len = 55, 447 1.1.6.2 martin .hv_base = (const void *)(const uint8_t[]) { 448 1.1.6.2 martin 0x60,0x61,0x62,0x63, 0x64,0x65,0x66,0x67, 449 1.1.6.2 martin 0x68,0x69,0x6a,0x6b, 0x6c,0x6d,0x6e,0x6f, 450 1.1.6.2 martin 0x70,0x71,0x72,0x73, 0x74,0x75,0x76,0x77, 451 1.1.6.2 martin 0x78,0x79,0x7a,0x7b, 0x7c,0x7d,0x7e,0x7f, 452 1.1.6.2 martin 0x80,0x81,0x82,0x83, 0x84,0x85,0x86,0x87, 453 1.1.6.2 martin 0x88,0x89,0x8a,0x8b, 0x8c,0x8d,0x8e,0x8f, 454 1.1.6.2 martin 0x90,0x91,0x92,0x93, 0x94,0x95,0x96, 455 1.1.6.2 martin }, 456 1.1.6.2 martin }, 457 1.1.6.2 martin [1] = &(const struct hvec) { 458 1.1.6.2 martin .hv_len = 55, 459 1.1.6.2 martin .hv_base = (const void *)(const uint8_t[]) { 460 1.1.6.2 martin 0xa0,0xa1,0xa2,0xa3, 0xa4,0xa5,0xa6,0xa7, 461 1.1.6.2 martin 0xa8,0xa9,0xaa,0xab, 0xac,0xad,0xae,0xaf, 462 1.1.6.2 martin 0xb0,0xb1,0xb2,0xb3, 0xb4,0xb5,0xb6,0xb7, 463 1.1.6.2 martin 0xb8,0xb9,0xba,0xbb, 0xbc,0xbd,0xbe,0xbf, 464 1.1.6.2 martin 0xc0,0xc1,0xc2,0xc3, 0xc4,0xc5,0xc6,0xc7, 465 1.1.6.2 martin 0xc8,0xc9,0xca,0xcb, 0xcc,0xcd,0xce,0xcf, 466 1.1.6.2 martin 0xd0,0xd1,0xd2,0xd3, 0xd4,0xd5,0xd6, 467 1.1.6.2 martin }, 468 1.1.6.2 martin }, 469 1.1.6.2 martin }; 470 1.1.6.2 martin 471 1.1.6.2 martin static const struct { 473 1.1.6.2 martin const struct hvec *personalization; 474 1.1.6.2 martin const struct hvec *const *additional; 475 1.1.6.2 martin bool reseed; 476 1.1.6.2 martin uint8_t C[SEEDLEN_BYTES]; 477 1.1.6.2 martin uint8_t V[3][SEEDLEN_BYTES]; 478 1.1.6.2 martin uint8_t rnd_val[2][64]; 479 1.1.6.2 martin } kat[] = { 480 1.1.6.2 martin [0] = { /* Hash_DRBG.pdf, p. 190 */ 481 1.1.6.2 martin .personalization = &kat_zero, 482 1.1.6.2 martin .additional = kat_no_additional, 483 1.1.6.2 martin .reseed = false, 484 1.1.6.2 martin .C = { /* p. 193 */ 485 1.1.6.2 martin 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b, 486 1.1.6.2 martin 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee, 487 1.1.6.2 martin 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a, 488 1.1.6.2 martin 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0, 489 1.1.6.2 martin 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02, 490 1.1.6.2 martin 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea, 491 1.1.6.2 martin 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1, 492 1.1.6.2 martin }, 493 1.1.6.2 martin .V = { 494 1.1.6.2 martin [0] = { /* p. 192 */ 495 1.1.6.2 martin 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09, 496 1.1.6.2 martin 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11, 497 1.1.6.2 martin 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd, 498 1.1.6.2 martin 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95, 499 1.1.6.2 martin 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d, 500 1.1.6.2 martin 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe, 501 1.1.6.2 martin 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1, 502 1.1.6.2 martin }, 503 1.1.6.2 martin [1] = { /* p. 195 */ 504 1.1.6.2 martin 0x8c,0x9f,0xb2,0x8d, 0x1b,0x5c,0xcc,0xa4, 505 1.1.6.2 martin 0x7e,0x7c,0xfa,0x66, 0xba,0xce,0x21,0xff, 506 1.1.6.2 martin 0x26,0x0a,0x16,0xa5, 0xba,0xba,0x7f,0x14, 507 1.1.6.2 martin 0x4e,0x75,0x79,0x36, 0x8e,0x99,0x55,0xbe, 508 1.1.6.2 martin 0xfb,0xe7,0x00,0xee, 0xf8,0x72,0x77,0x6b, 509 1.1.6.2 martin 0x17,0xae,0xff,0xd5, 0x3d,0x76,0xf4,0xe3, 510 1.1.6.2 martin 0xbe,0x65,0xe8,0xc9, 0x4b,0x70,0x8f, 511 1.1.6.2 martin }, 512 1.1.6.2 martin [2] = { /* p. 197 */ 513 1.1.6.2 martin 0x6d,0xfd,0x97,0x35, 0xff,0x0e,0x0e,0x3f, 514 1.1.6.2 martin 0xe0,0x52,0x2f,0x58, 0x18,0x8b,0x53,0xed, 515 1.1.6.2 martin 0x3f,0xf6,0x70,0x05, 0x46,0x52,0x90,0x44, 516 1.1.6.2 martin 0xb6,0x2b,0xe1,0x7d, 0x1b,0x1c,0x21,0xd0, 517 1.1.6.2 martin 0x91,0xb0,0x89,0xb1, 0x77,0x47,0x95,0xdb, 518 1.1.6.2 martin 0x14,0x22,0xa8,0x6c, 0x95,0x46,0x34,0x80, 519 1.1.6.2 martin 0x76,0xb4,0xb6,0x21, 0xc7,0x2f,0x91, 520 1.1.6.2 martin }, 521 1.1.6.2 martin }, 522 1.1.6.2 martin .rnd_val = { 523 1.1.6.2 martin [0] = { 524 1.1.6.2 martin 0x77,0xe0,0x5a,0x0e, 0x7d,0xc7,0x8a,0xb5, 525 1.1.6.2 martin 0xd8,0x93,0x4d,0x5e, 0x93,0xe8,0x2c,0x06, 526 1.1.6.2 martin 0xa0,0x7c,0x04,0xce, 0xe6,0xc9,0xc5,0x30, 527 1.1.6.2 martin 0x45,0xee,0xb4,0x85, 0x87,0x27,0x77,0xcf, 528 1.1.6.2 martin 0x3b,0x3e,0x35,0xc4, 0x74,0xf9,0x76,0xb8, 529 1.1.6.2 martin 0x94,0xbf,0x30,0x1a, 0x86,0xfa,0x65,0x1f, 530 1.1.6.2 martin 0x46,0x39,0x70,0xe8, 0x9d,0x4a,0x05,0x34, 531 1.1.6.2 martin 0xb2,0xec,0xad,0x29, 0xec,0x04,0x4e,0x7e, 532 1.1.6.2 martin }, 533 1.1.6.2 martin { 534 1.1.6.2 martin 0x5f,0xf4,0xba,0x49, 0x3c,0x40,0xcf,0xff, 535 1.1.6.2 martin 0x3b,0x01,0xe4,0x72, 0xc5,0x75,0x66,0x8c, 536 1.1.6.2 martin 0xce,0x38,0x80,0xb9, 0x29,0x0b,0x05,0xbf, 537 1.1.6.2 martin 0xed,0xe5,0xec,0x96, 0xed,0x5e,0x9b,0x28, 538 1.1.6.2 martin 0x98,0x50,0x8b,0x09, 0xbc,0x80,0x0e,0xee, 539 1.1.6.2 martin 0x09,0x9a,0x3c,0x90, 0x60,0x2a,0xbd,0x4b, 540 1.1.6.2 martin 0x1d,0x4f,0x34,0x3d, 0x49,0x7c,0x60,0x55, 541 1.1.6.2 martin 0xc8,0x7b,0xb9,0x56, 0xd5,0x3b,0xf3,0x51, 542 1.1.6.2 martin }, 543 1.1.6.2 martin }, 544 1.1.6.2 martin }, 545 1.1.6.2 martin 546 1.1.6.2 martin [1] = { /* Hash_DRBG.pdf, p. 198 */ 548 1.1.6.2 martin .personalization = &kat_zero, 549 1.1.6.2 martin .additional = kat_additional, 550 1.1.6.2 martin .reseed = false, 551 1.1.6.2 martin .C = { /* p. 201 */ 552 1.1.6.2 martin 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b, 553 1.1.6.2 martin 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee, 554 1.1.6.2 martin 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a, 555 1.1.6.2 martin 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0, 556 1.1.6.2 martin 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02, 557 1.1.6.2 martin 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea, 558 1.1.6.2 martin 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1, 559 1.1.6.2 martin }, 560 1.1.6.2 martin .V = { 561 1.1.6.2 martin [0] = { /* p. 200 */ 562 1.1.6.2 martin 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09, 563 1.1.6.2 martin 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11, 564 1.1.6.2 martin 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd, 565 1.1.6.2 martin 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95, 566 1.1.6.2 martin 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d, 567 1.1.6.2 martin 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe, 568 1.1.6.2 martin 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1, 569 1.1.6.2 martin }, 570 1.1.6.2 martin [1] = { /* p. 204 */ 571 1.1.6.2 martin 0x8c,0x9f,0xb2,0x8d, 0x1b,0x5c,0xcc,0xa4, 572 1.1.6.2 martin 0x7e,0x7c,0xfa,0x66, 0xba,0xce,0x21,0xff, 573 1.1.6.2 martin 0x26,0x0a,0x16,0xa5, 0xba,0xba,0x7f,0x1f, 574 1.1.6.2 martin 0xd3,0x3b,0x30,0x79, 0x8f,0xb2,0x9a,0x0f, 575 1.1.6.2 martin 0xba,0x66,0x65,0x02, 0x7d,0x7f,0x10,0x58, 576 1.1.6.2 martin 0x71,0xbf,0xb4,0x40, 0xdf,0xbe,0xde,0x81, 577 1.1.6.2 martin 0xd0,0x4d,0x22,0xdf, 0xf7,0x89,0xe1, 578 1.1.6.2 martin }, 579 1.1.6.2 martin [2] = { /* p. 207 */ 580 1.1.6.2 martin 0x6d,0xfd,0x97,0x35, 0xff,0x0e,0x0e,0x3f, 581 1.1.6.2 martin 0xe0,0x52,0x2f,0x58, 0x18,0x8b,0x53,0xed, 582 1.1.6.2 martin 0x3f,0xf6,0x70,0x05, 0x46,0x52,0x90,0xe1, 583 1.1.6.2 martin 0x7c,0x5a,0xd8,0x2d, 0xa9,0x2a,0x05,0x01, 584 1.1.6.2 martin 0xaa,0x66,0x3a,0xa6, 0x9f,0xa5,0xa0,0xb0, 585 1.1.6.2 martin 0x81,0x2b,0x4b,0x4f, 0xaf,0xf3,0xfe,0xce, 586 1.1.6.2 martin 0x79,0xcc,0xf6,0xaa, 0xde,0xc1,0xd0, 587 1.1.6.2 martin }, 588 1.1.6.2 martin }, 589 1.1.6.2 martin .rnd_val = { 590 1.1.6.2 martin [0] = { /* p. 203 */ 591 1.1.6.2 martin 0x51,0x07,0x24,0xb9, 0x3a,0xe9,0xa1,0x82, 592 1.1.6.2 martin 0x70,0xe4,0x84,0x73, 0x71,0x1d,0x88,0x24, 593 1.1.6.2 martin 0x63,0x1b,0xaa,0x7f, 0x1d,0x9a,0xc9,0x28, 594 1.1.6.2 martin 0x4e,0x7e,0xc8,0xf3, 0x63,0x7f,0x7a,0x74, 595 1.1.6.2 martin 0x3b,0x36,0x44,0xeb, 0x96,0xc9,0x86,0x27, 596 1.1.6.2 martin 0xc8,0xfd,0x40,0x5a, 0x7a,0x46,0x03,0xf3, 597 1.1.6.2 martin 0x8c,0xff,0x7c,0x89, 0xe9,0xc1,0x33,0xf5, 598 1.1.6.2 martin 0x85,0x1f,0x40,0xe9, 0x20,0x30,0xfe,0xa2, 599 1.1.6.2 martin }, 600 1.1.6.2 martin [1] = { /* p. 206 */ 601 1.1.6.2 martin 0x62,0x53,0xda,0x3a, 0xae,0x8b,0x88,0xa3, 602 1.1.6.2 martin 0xb7,0x46,0xe4,0xc8, 0xb2,0x63,0x5c,0x54, 603 1.1.6.2 martin 0x0f,0x6e,0x9e,0xa7, 0x15,0x7e,0xe6,0x9d, 604 1.1.6.2 martin 0xd7,0x1e,0xfb,0x2e, 0x8f,0xf7,0xbb,0xe1, 605 1.1.6.2 martin 0xe3,0x33,0x68,0x88, 0x38,0xdd,0x7d,0xe4, 606 1.1.6.2 martin 0x9c,0xc8,0x89,0x90, 0x30,0x9c,0x96,0xcd, 607 1.1.6.2 martin 0xb2,0xab,0x92,0x95, 0x74,0x36,0xbf,0x83, 608 1.1.6.2 martin 0xd1,0xbd,0x83,0x08, 0x19,0xc7,0x48,0xca, 609 1.1.6.2 martin }, 610 1.1.6.2 martin }, 611 1.1.6.2 martin }, 612 1.1.6.2 martin 613 1.1.6.2 martin [2] = { /* Hash_DRBG.pdf, p. 208 */ 615 1.1.6.2 martin .personalization = &kat_personalization, 616 1.1.6.2 martin .additional = kat_no_additional, 617 1.1.6.2 martin .reseed = false, 618 1.1.6.2 martin .C = { /* p. 211 */ 619 1.1.6.2 martin 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55, 620 1.1.6.2 martin 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c, 621 1.1.6.2 martin 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69, 622 1.1.6.2 martin 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87, 623 1.1.6.2 martin 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c, 624 1.1.6.2 martin 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03, 625 1.1.6.2 martin 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0, 626 1.1.6.2 martin }, 627 1.1.6.2 martin .V = { 628 1.1.6.2 martin [0] = { /* p. 210 */ 629 1.1.6.2 martin 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69, 630 1.1.6.2 martin 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0, 631 1.1.6.2 martin 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63, 632 1.1.6.2 martin 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4, 633 1.1.6.2 martin 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8, 634 1.1.6.2 martin 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35, 635 1.1.6.2 martin 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca, 636 1.1.6.2 martin }, 637 1.1.6.2 martin [1] = { /* p. 213 */ 638 1.1.6.2 martin 0xe8,0x5d,0xd8,0xb1, 0xd8,0x6c,0x16,0xbf, 639 1.1.6.2 martin 0x62,0x8b,0xf3,0xb5, 0xf9,0x97,0x04,0x4d, 640 1.1.6.2 martin 0x2a,0x69,0x13,0x8c, 0xd6,0xa6,0x6e,0xe7, 641 1.1.6.2 martin 0x36,0xdb,0xaa,0x3b, 0xf1,0xd0,0x28,0x3b, 642 1.1.6.2 martin 0x71,0x7b,0x33,0x6e, 0xb3,0xae,0x5b,0xdd, 643 1.1.6.2 martin 0x04,0x17,0x2e,0xa2, 0x6e,0x5a,0x48,0xf3, 644 1.1.6.2 martin 0xb3,0xfb,0xab,0xf8, 0x2f,0x76,0x79, 645 1.1.6.2 martin }, 646 1.1.6.2 martin [2] = { /* p. 215 */ 647 1.1.6.2 martin 0x2c,0xd2,0x63,0x2a, 0x89,0xda,0x8c,0x15, 648 1.1.6.2 martin 0x02,0x14,0x11,0x07, 0xba,0xf5,0x02,0xb9, 649 1.1.6.2 martin 0x7d,0x38,0xc4,0x48, 0x48,0x08,0x71,0x0a, 650 1.1.6.2 martin 0x66,0xf8,0x40,0x11, 0xd7,0x02,0x8d,0x14, 651 1.1.6.2 martin 0xd3,0x15,0x5a,0x73, 0x79,0xad,0xd5,0x3c, 652 1.1.6.2 martin 0xc8,0xea,0x84,0xd0, 0xfc,0x64,0x1d,0xfc, 653 1.1.6.2 martin 0x62,0x9e,0x06,0x19, 0x1f,0x5f,0x6d, 654 1.1.6.2 martin }, 655 1.1.6.2 martin }, 656 1.1.6.2 martin .rnd_val = { 657 1.1.6.2 martin [0] = { /* p. 213 */ 658 1.1.6.2 martin 0x4a,0x62,0x66,0x4f, 0x26,0x6e,0xe5,0x37, 659 1.1.6.2 martin 0xb9,0x0d,0x64,0xb0, 0x5e,0x1d,0x81,0x3d, 660 1.1.6.2 martin 0x28,0xb1,0x59,0xa9, 0x79,0xf1,0x50,0x9d, 661 1.1.6.2 martin 0xde,0x31,0xb7,0x1d, 0xa4,0x3d,0x54,0x6e, 662 1.1.6.2 martin 0xe8,0xe7,0x86,0x78, 0x20,0x2d,0xc2,0x37, 663 1.1.6.2 martin 0xad,0x4a,0xfe,0x7d, 0xf3,0x10,0xc9,0xa4, 664 1.1.6.2 martin 0x13,0xe3,0x8a,0xaf, 0x41,0x7d,0x2d,0x22, 665 1.1.6.2 martin 0x5a,0xa3,0x65,0xec, 0x4a,0x7d,0x29,0x96, 666 1.1.6.2 martin }, 667 1.1.6.2 martin [1] = { /* p. 215 */ 668 1.1.6.2 martin 0x59,0x58,0x3d,0x3c, 0x0a,0xc3,0x71,0x30, 669 1.1.6.2 martin 0xc4,0x78,0x9a,0x83, 0x11,0xb8,0xca,0x8f, 670 1.1.6.2 martin 0x98,0x5e,0xf1,0xe8, 0xf9,0x4d,0x95,0x4e, 671 1.1.6.2 martin 0x32,0xe3,0x44,0xa6, 0x21,0xc2,0x4b,0x2f, 672 1.1.6.2 martin 0x37,0x1d,0xa9,0xba, 0x3c,0x33,0x15,0x3f, 673 1.1.6.2 martin 0x09,0xe5,0x51,0x45, 0xe7,0x62,0x92,0x6b, 674 1.1.6.2 martin 0x73,0xac,0x14,0x7a, 0x1e,0x86,0x31,0xd1, 675 1.1.6.2 martin 0xcc,0xd0,0x85,0x67, 0xcf,0x67,0x7c,0x72, 676 1.1.6.2 martin }, 677 1.1.6.2 martin }, 678 1.1.6.2 martin }, 679 1.1.6.2 martin 680 1.1.6.2 martin [3] = { /* Hash_DRBG.pdf, p. 215 */ 682 1.1.6.2 martin .personalization = &kat_personalization, 683 1.1.6.2 martin .additional = kat_additional, 684 1.1.6.2 martin .reseed = false, 685 1.1.6.2 martin .C = { /* p. 220 */ 686 1.1.6.2 martin 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55, 687 1.1.6.2 martin 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c, 688 1.1.6.2 martin 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69, 689 1.1.6.2 martin 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87, 690 1.1.6.2 martin 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c, 691 1.1.6.2 martin 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03, 692 1.1.6.2 martin 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0, 693 1.1.6.2 martin }, 694 1.1.6.2 martin .V = { 695 1.1.6.2 martin [0] = { /* p. 218 */ 696 1.1.6.2 martin 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69, 697 1.1.6.2 martin 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0, 698 1.1.6.2 martin 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63, 699 1.1.6.2 martin 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4, 700 1.1.6.2 martin 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8, 701 1.1.6.2 martin 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35, 702 1.1.6.2 martin 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca, 703 1.1.6.2 martin }, 704 1.1.6.2 martin [1] = { /* p. 222 */ 705 1.1.6.2 martin 0xe8,0x5d,0xd8,0xb1, 0xd8,0x6c,0x16,0xbf, 706 1.1.6.2 martin 0x62,0x8b,0xf3,0xb5, 0xf9,0x97,0x04,0x4d, 707 1.1.6.2 martin 0x2a,0x69,0x13,0x8c, 0xd6,0xa6,0x6f,0x8c, 708 1.1.6.2 martin 0xa8,0x7b,0x87,0x43, 0x50,0x20,0x2e,0x1d, 709 1.1.6.2 martin 0x8a,0xb0,0xb5,0xad, 0x47,0xac,0xc2,0x75, 710 1.1.6.2 martin 0x40,0x28,0x9f,0xe3, 0xa8,0xe3,0x1f,0x7b, 711 1.1.6.2 martin 0x56,0x58,0xdd,0xd1, 0x96,0x94,0x89, 712 1.1.6.2 martin }, 713 1.1.6.2 martin [2] = { /* p. 225 */ 714 1.1.6.2 martin 0x2c,0xd2,0x63,0x2a, 0x89,0xda,0x8c,0x15, 715 1.1.6.2 martin 0x02,0x14,0x11,0x07, 0xba,0xf5,0x02,0xb9, 716 1.1.6.2 martin 0x7d,0x38,0xc4,0x48, 0x48,0x08,0x71,0xb2, 717 1.1.6.2 martin 0x77,0xae,0xc7,0xff, 0x8d,0xa2,0x3c,0x71, 718 1.1.6.2 martin 0xef,0xf5,0x9d,0xc2, 0x4e,0x5e,0x4c,0x7f, 719 1.1.6.2 martin 0x58,0x47,0xb0,0xc1, 0x2f,0x6a,0x59,0x9e, 720 1.1.6.2 martin 0x6b,0x2e,0xda,0xc0, 0x30,0x6b,0xcd, 721 1.1.6.2 martin }, 722 1.1.6.2 martin }, 723 1.1.6.2 martin .rnd_val = { /* p. 222 */ 724 1.1.6.2 martin [0] = { 725 1.1.6.2 martin 0xe0,0xb9,0x7c,0x82, 0x12,0x68,0xfd,0x3b, 726 1.1.6.2 martin 0xb2,0xca,0xbf,0xd1, 0xf9,0x54,0x84,0x78, 727 1.1.6.2 martin 0xae,0x8a,0x60,0x41, 0x7f,0x7b,0x09,0x4a, 728 1.1.6.2 martin 0x26,0x13,0x95,0x46, 0x06,0x2b,0x52,0x1c, 729 1.1.6.2 martin 0xfd,0x33,0xe4,0xe3, 0x9b,0x9d,0xcd,0x0a, 730 1.1.6.2 martin 0x3d,0xa1,0x52,0x09, 0xc7,0x2a,0xdb,0xe5, 731 1.1.6.2 martin 0x8c,0x20,0xab,0x34, 0x07,0x02,0x69,0x51, 732 1.1.6.2 martin 0x29,0x7a,0xd2,0x54, 0x30,0x75,0x53,0xa5, 733 1.1.6.2 martin }, 734 1.1.6.2 martin [1] = { /* p. 225 */ 735 1.1.6.2 martin 0xc1,0xac,0xd3,0xad, 0xa4,0xc8,0xc4,0x95, 736 1.1.6.2 martin 0xbf,0x17,0x9d,0xb5, 0x98,0x22,0xc3,0x51, 737 1.1.6.2 martin 0xbc,0x47,0x9a,0xbe, 0x4e,0xb2,0x8f,0x84, 738 1.1.6.2 martin 0x39,0x57,0xb1,0x1e, 0x3c,0x2b,0xc0,0x48, 739 1.1.6.2 martin 0x83,0x96,0x42,0x97, 0x97,0x5b,0xd7,0x2d, 740 1.1.6.2 martin 0x10,0x24,0xab,0xcf, 0x6f,0x66,0x15,0xd7, 741 1.1.6.2 martin 0xf5,0xb4,0xfd,0x1e, 0x40,0xa6,0x4e,0xeb, 742 1.1.6.2 martin 0x45,0xba,0x21,0x81, 0xb8,0x39,0x37,0xed, 743 1.1.6.2 martin }, 744 1.1.6.2 martin }, 745 1.1.6.2 martin }, 746 1.1.6.2 martin 747 1.1.6.2 martin [4] = { /* Hash_DRBG.pdf, p. 225 */ 749 1.1.6.2 martin .personalization = &kat_zero, 750 1.1.6.2 martin .additional = kat_no_additional, 751 1.1.6.2 martin .reseed = true, 752 1.1.6.2 martin .C = { /* p. 229 */ 753 1.1.6.2 martin 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b, 754 1.1.6.2 martin 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee, 755 1.1.6.2 martin 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a, 756 1.1.6.2 martin 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0, 757 1.1.6.2 martin 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02, 758 1.1.6.2 martin 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea, 759 1.1.6.2 martin 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1, 760 1.1.6.2 martin }, 761 1.1.6.2 martin .V = { 762 1.1.6.2 martin [0] = { /* p. 227 */ 763 1.1.6.2 martin 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09, 764 1.1.6.2 martin 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11, 765 1.1.6.2 martin 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd, 766 1.1.6.2 martin 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95, 767 1.1.6.2 martin 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d, 768 1.1.6.2 martin 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe, 769 1.1.6.2 martin 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1, 770 1.1.6.2 martin }, 771 1.1.6.2 martin [1] = { /* p. 234 */ 772 1.1.6.2 martin 0x23,0x97,0x6c,0x61, 0x63,0xd7,0xe2,0x4a, 773 1.1.6.2 martin 0x1a,0x03,0x8f,0x2b, 0x2b,0x64,0x67,0x97, 774 1.1.6.2 martin 0x50,0xca,0x9e,0xd8, 0xd1,0x40,0x69,0x8d, 775 1.1.6.2 martin 0x64,0x22,0x39,0x7b, 0x02,0x96,0x9e,0x6e, 776 1.1.6.2 martin 0xcd,0xd2,0x9d,0xac, 0xc5,0x76,0x7e,0x2c, 777 1.1.6.2 martin 0xc2,0xd0,0xa1,0x56, 0xc8,0x7a,0xd0,0xb3, 778 1.1.6.2 martin 0x57,0x89,0x05,0x07, 0xe0,0x37,0x77, 779 1.1.6.2 martin }, 780 1.1.6.2 martin [2] = { /* p. 239 */ 781 1.1.6.2 martin 0x92,0xfb,0x0e,0x48, 0x0e,0x86,0x99,0x13, 782 1.1.6.2 martin 0xc7,0xad,0x45,0xc7, 0xe3,0xfd,0x46,0x10, 783 1.1.6.2 martin 0x17,0xe5,0xa6,0xb7, 0x70,0xf3,0x3b,0x31, 784 1.1.6.2 martin 0x3c,0x38,0x83,0xf1, 0xcc,0x56,0x71,0x89, 785 1.1.6.2 martin 0x45,0x21,0xf5,0xed, 0xe6,0x2e,0xaa,0xb0, 786 1.1.6.2 martin 0x83,0xb1,0x41,0xa7, 0x5b,0x5c,0xc0,0x22, 787 1.1.6.2 martin 0x60,0x5a,0x8a,0x3d, 0xc7,0x1b,0xa7, 788 1.1.6.2 martin }, 789 1.1.6.2 martin }, 790 1.1.6.2 martin .rnd_val = { 791 1.1.6.2 martin [0] = { /* p. 234 */ 792 1.1.6.2 martin 0x92,0x27,0x55,0x23, 0xc7,0x0e,0x56,0x7b, 793 1.1.6.2 martin 0xcf,0x9b,0x35,0xec, 0x50,0xb9,0x33,0xf8, 794 1.1.6.2 martin 0x12,0x61,0x6d,0xf5, 0x86,0xb7,0xf7,0x2e, 795 1.1.6.2 martin 0xe1,0xbc,0x77,0x35, 0xa5,0xc2,0x65,0x43, 796 1.1.6.2 martin 0x73,0xcb,0xbc,0x72, 0x31,0x6d,0xff,0x84, 797 1.1.6.2 martin 0x20,0xa3,0x3b,0xf0, 0x2b,0x97,0xac,0x8d, 798 1.1.6.2 martin 0x19,0x52,0x58,0x3f, 0x27,0x0a,0xcd,0x70, 799 1.1.6.2 martin 0x05,0xcc,0x02,0x7f, 0x4c,0xf1,0x18,0x7e, 800 1.1.6.2 martin }, 801 1.1.6.2 martin [1] = { /* p. 239 */ 802 1.1.6.2 martin 0x68,0x1a,0x46,0xb2, 0xaa,0x86,0x94,0xa0, 803 1.1.6.2 martin 0xfe,0x4d,0xee,0xa7, 0x20,0x92,0x7a,0x84, 804 1.1.6.2 martin 0xea,0xaa,0x98,0x5e, 0x59,0xc1,0x9f,0x8b, 805 1.1.6.2 martin 0xe0,0x98,0x4d,0x8c, 0xbe,0xf8,0xc6,0x9b, 806 1.1.6.2 martin 0x75,0x41,0x67,0x64, 0x19,0x46,0xe0,0x40, 807 1.1.6.2 martin 0xee,0x20,0x43,0xe1, 0xcc,0xb2,0x9d,0xcf, 808 1.1.6.2 martin 0x06,0x3c,0x0a,0x50, 0x83,0x0e,0x42,0x8e, 809 1.1.6.2 martin 0x6d,0xca,0x26,0x2e, 0xcd,0x77,0xc5,0x42, 810 1.1.6.2 martin }, 811 1.1.6.2 martin }, 812 1.1.6.2 martin }, 813 1.1.6.2 martin 814 1.1.6.2 martin [5] = { /* Hash_DRBG.pdf, p. 239 */ 816 1.1.6.2 martin .personalization = &kat_zero, 817 1.1.6.2 martin .additional = kat_additional, 818 1.1.6.2 martin .reseed = true, 819 1.1.6.2 martin .C = { /* p. 243 */ 820 1.1.6.2 martin 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b, 821 1.1.6.2 martin 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee, 822 1.1.6.2 martin 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a, 823 1.1.6.2 martin 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0, 824 1.1.6.2 martin 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02, 825 1.1.6.2 martin 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea, 826 1.1.6.2 martin 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1, 827 1.1.6.2 martin }, 828 1.1.6.2 martin .V = { 829 1.1.6.2 martin [0] = { /* p. 242 */ 830 1.1.6.2 martin 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09, 831 1.1.6.2 martin 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11, 832 1.1.6.2 martin 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd, 833 1.1.6.2 martin 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95, 834 1.1.6.2 martin 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d, 835 1.1.6.2 martin 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe, 836 1.1.6.2 martin 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1, 837 1.1.6.2 martin }, 838 1.1.6.2 martin [1] = { /* p. 249 */ 839 1.1.6.2 martin 0xb3,0x74,0x95,0x46, 0x81,0xcf,0xc9,0x5b, 840 1.1.6.2 martin 0x8d,0xb8,0x39,0x52, 0x8c,0x71,0x08,0x83, 841 1.1.6.2 martin 0x5e,0xb4,0xf3,0x0a, 0xd9,0x1c,0xbe,0x9e, 842 1.1.6.2 martin 0xa0,0xd5,0x45,0xcc, 0xfd,0x18,0x13,0x2a, 843 1.1.6.2 martin 0xf1,0xd3,0x76,0x8f, 0x47,0x02,0x77,0x2b, 844 1.1.6.2 martin 0x69,0x15,0x9f,0x2c, 0xc0,0x7f,0x48,0x74, 845 1.1.6.2 martin 0x1e,0xb5,0xb2,0xb1, 0x22,0x11,0x25, 846 1.1.6.2 martin }, 847 1.1.6.2 martin [2] = { /* p. 254 */ 848 1.1.6.2 martin 0xbf,0xe3,0xd6,0x81, 0xa2,0x0f,0xbe,0x39, 849 1.1.6.2 martin 0x03,0x8f,0x4d,0x66, 0x77,0x7c,0x1b,0xe5, 850 1.1.6.2 martin 0x79,0xee,0xb4,0x85, 0x7b,0x42,0xf2,0x1c, 851 1.1.6.2 martin 0x3f,0x59,0x8b,0x59, 0x62,0xb7,0xaa,0x48, 852 1.1.6.2 martin 0x0e,0xa5,0x65,0xfe, 0xea,0xbd,0xfb,0xd6, 853 1.1.6.2 martin 0xa7,0xec,0xcb,0x96, 0x02,0xc1,0x4b,0xfa, 854 1.1.6.2 martin 0x30,0xf0,0xf9,0x81, 0x90,0x0c,0xd0, 855 1.1.6.2 martin }, 856 1.1.6.2 martin }, 857 1.1.6.2 martin .rnd_val = { 858 1.1.6.2 martin [0] = { /* p. 249 */ 859 1.1.6.2 martin 0x11,0x60,0x1b,0x72, 0xca,0x60,0x89,0x73, 860 1.1.6.2 martin 0x6b,0x20,0x47,0x44, 0xb2,0x9d,0xa1,0xaa, 861 1.1.6.2 martin 0xaf,0xba,0xca,0xa5, 0x28,0x8f,0x06,0xbe, 862 1.1.6.2 martin 0x48,0x45,0x69,0xcc, 0xed,0xbe,0xce,0x03, 863 1.1.6.2 martin 0xe8,0x22,0xea,0xa5, 0xb1,0x4f,0x0e,0x04, 864 1.1.6.2 martin 0x94,0x8c,0x05,0xcd, 0x3c,0xc2,0xe2,0x88, 865 1.1.6.2 martin 0x9a,0x89,0xfa,0x03, 0xd6,0x5d,0x4d,0x74, 866 1.1.6.2 martin 0xac,0x50,0xff,0x6b, 0xd8,0x56,0xe5,0x79, 867 1.1.6.2 martin }, 868 1.1.6.2 martin [1] = { /* p. 255 */ 869 1.1.6.2 martin 0x05,0x5b,0xc1,0x28, 0xcc,0x2d,0x0e,0x25, 870 1.1.6.2 martin 0x0f,0x47,0xe4,0xe4, 0xf5,0x82,0x37,0x5d, 871 1.1.6.2 martin 0xe3,0xee,0x5e,0x9f, 0xe8,0x31,0x68,0x74, 872 1.1.6.2 martin 0x97,0xe5,0xaf,0x1e, 0x7c,0xb6,0x9e,0xfd, 873 1.1.6.2 martin 0xeb,0xd2,0xfd,0x31, 0xc7,0xce,0x2b,0xba, 874 1.1.6.2 martin 0x0d,0xbc,0x6c,0x74, 0xc8,0xa2,0x0a,0x7d, 875 1.1.6.2 martin 0x72,0xf6,0x0e,0x6d, 0x9f,0x63,0xed,0x50, 876 1.1.6.2 martin 0x9e,0x96,0x3e,0x54, 0xa6,0x9e,0x90,0x48, 877 1.1.6.2 martin }, 878 1.1.6.2 martin }, 879 1.1.6.2 martin }, 880 1.1.6.2 martin 881 1.1.6.2 martin [6] = { /* Hash_DRBG.pdf, p. 255 */ 883 1.1.6.2 martin .personalization = &kat_personalization, 884 1.1.6.2 martin .additional = kat_no_additional, 885 1.1.6.2 martin .reseed = true, 886 1.1.6.2 martin .C = { /* p. 259 */ 887 1.1.6.2 martin 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55, 888 1.1.6.2 martin 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c, 889 1.1.6.2 martin 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69, 890 1.1.6.2 martin 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87, 891 1.1.6.2 martin 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c, 892 1.1.6.2 martin 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03, 893 1.1.6.2 martin 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0, 894 1.1.6.2 martin }, 895 1.1.6.2 martin .V = { 896 1.1.6.2 martin [0] = { /* p. 257 */ 897 1.1.6.2 martin 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69, 898 1.1.6.2 martin 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0, 899 1.1.6.2 martin 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63, 900 1.1.6.2 martin 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4, 901 1.1.6.2 martin 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8, 902 1.1.6.2 martin 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35, 903 1.1.6.2 martin 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca, 904 1.1.6.2 martin }, 905 1.1.6.2 martin [1] = { /* p. 264 */ 906 1.1.6.2 martin 0xaa,0x11,0x1b,0x0e, 0xd5,0x6c,0xf4,0xa6, 907 1.1.6.2 martin 0xcc,0xe4,0xad,0xe7, 0xf1,0x1b,0x06,0x10, 908 1.1.6.2 martin 0x45,0xbf,0x10,0x92, 0xcb,0xb3,0x8f,0xf3, 909 1.1.6.2 martin 0x23,0x95,0xea,0x62, 0xd2,0x6b,0x27,0xc8, 910 1.1.6.2 martin 0x86,0x89,0x45,0xc5, 0x93,0xba,0x70,0xc3, 911 1.1.6.2 martin 0x84,0xad,0xad,0x45, 0x77,0x1c,0x93,0xb0, 912 1.1.6.2 martin 0x9c,0x27,0x69,0x07, 0x52,0xd1,0xd8, 913 1.1.6.2 martin }, 914 1.1.6.2 martin [2] = { /* p. 269 */ 915 1.1.6.2 martin 0x5f,0x0f,0xd4,0x0c, 0x8c,0x82,0xef,0x41, 916 1.1.6.2 martin 0x03,0x14,0xb8,0x30, 0xc2,0x0f,0xcc,0xea, 917 1.1.6.2 martin 0x71,0x59,0x18,0x9a, 0xea,0x13,0xe8,0x48, 918 1.1.6.2 martin 0x75,0x68,0x68,0x18, 0xcd,0x4f,0x12,0xb9, 919 1.1.6.2 martin 0xde,0xa8,0x82,0x58, 0x16,0xa4,0x13,0xa2, 920 1.1.6.2 martin 0x95,0x72,0x5e,0xb3, 0x3e,0x33,0xb9,0xad, 921 1.1.6.2 martin 0xfe,0xe0,0xb1,0xc2, 0x34,0x0a,0xe0, 922 1.1.6.2 martin }, 923 1.1.6.2 martin }, 924 1.1.6.2 martin .rnd_val = { 925 1.1.6.2 martin [0] = { /* p. 264 */ 926 1.1.6.2 martin 0x7a,0x33,0xd3,0x90, 0x33,0xf8,0x60,0x58, 927 1.1.6.2 martin 0x9f,0x37,0x5e,0x73, 0x35,0x30,0x75,0x52, 928 1.1.6.2 martin 0x96,0x58,0xbb,0xed, 0x99,0xc8,0xa0,0xef, 929 1.1.6.2 martin 0x5e,0x28,0xb3,0x51, 0xb2,0xdf,0x33,0x58, 930 1.1.6.2 martin 0xb3,0xd8,0x9b,0xac, 0x72,0x25,0xdf,0x9e, 931 1.1.6.2 martin 0x3b,0xcd,0x08,0x36, 0xb9,0x9b,0x5d,0xbf, 932 1.1.6.2 martin 0x36,0x3a,0x17,0x0c, 0x7b,0xb9,0xbe,0x41, 933 1.1.6.2 martin 0xa4,0xaa,0x97,0x44, 0x5e,0xce,0xe4,0x1e, 934 1.1.6.2 martin }, 935 1.1.6.2 martin [1] = { /* p. 269 */ 936 1.1.6.2 martin 0x04,0x1a,0xbd,0x94, 0x07,0x9a,0x05,0x71, 937 1.1.6.2 martin 0x88,0x5f,0x16,0x65, 0x94,0x4e,0x0e,0x7f, 938 1.1.6.2 martin 0x1b,0xfa,0xcd,0xea, 0xea,0xe9,0xd4,0x4e, 939 1.1.6.2 martin 0xed,0xc1,0x1f,0xad, 0xd8,0x4c,0x34,0xc7, 940 1.1.6.2 martin 0xca,0xa7,0x3d,0x09, 0xa0,0x19,0x31,0x93, 941 1.1.6.2 martin 0xfa,0x40,0xa1,0x9f, 0x64,0x4f,0x04,0x8d, 942 1.1.6.2 martin 0x2a,0x54,0x17,0x04, 0x25,0x53,0xdf,0x52, 943 1.1.6.2 martin 0x51,0x74,0x1b,0x40, 0xea,0xcf,0xeb,0x98, 944 1.1.6.2 martin }, 945 1.1.6.2 martin }, 946 1.1.6.2 martin }, 947 1.1.6.2 martin 948 1.1.6.2 martin [7] = { /* Hash_DRBG.pdf, p. 269 */ 950 1.1.6.2 martin .personalization = &kat_personalization, 951 1.1.6.2 martin .additional = kat_additional, 952 1.1.6.2 martin .reseed = true, 953 1.1.6.2 martin .C = { /* p. 274 */ 954 1.1.6.2 martin 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55, 955 1.1.6.2 martin 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c, 956 1.1.6.2 martin 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69, 957 1.1.6.2 martin 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87, 958 1.1.6.2 martin 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c, 959 1.1.6.2 martin 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03, 960 1.1.6.2 martin 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0, 961 1.1.6.2 martin }, 962 1.1.6.2 martin .V = { 963 1.1.6.2 martin [0] = { /* p. 272 */ 964 1.1.6.2 martin 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69, 965 1.1.6.2 martin 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0, 966 1.1.6.2 martin 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63, 967 1.1.6.2 martin 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4, 968 1.1.6.2 martin 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8, 969 1.1.6.2 martin 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35, 970 1.1.6.2 martin 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca, 971 1.1.6.2 martin }, 972 1.1.6.2 martin [1] = { /* p. 279 */ 973 1.1.6.2 martin 0xaa,0xf6,0xb9,0x9b, 0x7f,0x84,0xb0,0x36, 974 1.1.6.2 martin 0xe1,0xcc,0xbc,0x9d, 0x57,0x3a,0x36,0xb8, 975 1.1.6.2 martin 0xbd,0xd4,0x7c,0x35, 0x8b,0xb5,0xf3,0xc1, 976 1.1.6.2 martin 0xd6,0xe7,0x90,0x3a, 0xaa,0x29,0xf1,0xc8, 977 1.1.6.2 martin 0x7a,0xe6,0x66,0xb8, 0x86,0x93,0xbe,0xf4, 978 1.1.6.2 martin 0x6c,0x51,0xc2,0x4c, 0x47,0xbe,0xfe,0x4b, 979 1.1.6.2 martin 0x35,0x75,0x4d,0xcb, 0xfa,0x1e,0x7d, 980 1.1.6.2 martin }, 981 1.1.6.2 martin [2] = { /* p. 285 */ 982 1.1.6.2 martin 0x0c,0x75,0x77,0x4d, 0x61,0x02,0x69,0xad, 983 1.1.6.2 martin 0x5b,0xb4,0xab,0xbb, 0x14,0x83,0x23,0xc9, 984 1.1.6.2 martin 0x78,0x9f,0x8f,0x76, 0x25,0xcc,0x34,0x33, 985 1.1.6.2 martin 0x7c,0x03,0x47,0x2d, 0x9a,0x0c,0x4f,0xac, 986 1.1.6.2 martin 0x30,0xbe,0xd2,0xdd, 0xde,0x64,0xb8,0x7a, 987 1.1.6.2 martin 0x2c,0x70,0x67,0x52, 0xc2,0x1a,0xc0,0x11, 988 1.1.6.2 martin 0x27,0x43,0x59,0x2c, 0x4f,0xdf,0x67, 989 1.1.6.2 martin }, 990 1.1.6.2 martin }, 991 1.1.6.2 martin .rnd_val = { /* p. 279 */ 992 1.1.6.2 martin [0] = { 993 1.1.6.2 martin 0x88,0x97,0x32,0x97, 0x5b,0x36,0xe8,0xe2, 994 1.1.6.2 martin 0xe7,0xb7,0x40,0x50, 0xae,0xa1,0x71,0x39, 995 1.1.6.2 martin 0xda,0x2b,0x86,0x34, 0xdc,0xe2,0x13,0x3b, 996 1.1.6.2 martin 0x06,0x34,0x74,0x3f, 0x47,0x75,0x57,0xab, 997 1.1.6.2 martin 0x7b,0x84,0x4e,0xd3, 0xf2,0xa4,0x6c,0xc6, 998 1.1.6.2 martin 0x3e,0xb2,0x32,0x86, 0x46,0x4c,0x51,0xd5, 999 1.1.6.2 martin 0xd7,0x69,0x71,0xc4, 0x7b,0xc5,0xb5,0x5f, 1000 1.1.6.2 martin 0xed,0x72,0xa8,0x04, 0x3c,0xbf,0x66,0x4f, 1001 1.1.6.2 martin }, 1002 1.1.6.2 martin [1] = { 1003 1.1.6.2 martin 0xbf,0x49,0xb8,0x89, 0xba,0x98,0x4d,0x34, 1004 1.1.6.2 martin 0x63,0x87,0xe8,0x64, 0x7e,0x98,0xbb,0x99, 1005 1.1.6.2 martin 0xcd,0x41,0xa3,0x2f, 0xbe,0xc1,0xfc,0xb3, 1006 1.1.6.2 martin 0xb6,0xa1,0xb7,0xd9, 0x93,0x2b,0xa7,0xe1, 1007 1.1.6.2 martin 0x1e,0xe6,0xbb,0xd9, 0x24,0x40,0x5a,0x2c, 1008 1.1.6.2 martin 0x7f,0xca,0x89,0x0a, 0x5e,0x9a,0x8d,0xea, 1009 1.1.6.2 martin 0x66,0xac,0x0c,0xac, 0xa0,0xca,0x7b,0xc1, 1010 1.1.6.2 martin 0x8d,0x74,0xfb,0xc0, 0x2a,0x11,0xe4,0x53, 1011 1.1.6.2 martin }, 1012 1.1.6.2 martin }, 1013 1.1.6.2 martin }, 1014 1.1.6.2 martin }; 1015 1.1.6.2 martin 1016 1.1.6.2 martin #ifdef NIST_HASH_DRBG_DEBUG 1018 1.1.6.2 martin #define DPRINTF(fmt, ...) \ 1019 1.1.6.2 martin printf("%s:%d: " fmt, __func__, __LINE__, ##__VA_ARGS__) 1020 1.1.6.2 martin #define DUSE(v) 1021 1.1.6.2 martin #else 1022 1.1.6.2 martin #define DPRINTF(fmt, ...) 1023 1.1.6.2 martin #define DUSE(v) (void)(v) 1024 1.1.6.2 martin #endif 1025 1.1.6.2 martin 1026 1.1.6.2 martin #define CHECK(i, name, actual, expected, n) do \ 1027 1.1.6.2 martin { \ 1028 1.1.6.2 martin CTASSERT(sizeof(actual) == (n)); \ 1029 1.1.6.2 martin ok &= check(i, name, actual, expected, (n)); \ 1030 1.1.6.2 martin } while (0) 1031 1.1.6.2 martin 1032 1.1.6.2 martin static bool 1033 1.1.6.2 martin check(unsigned katno, const char *name, const uint8_t *actual, 1034 1.1.6.2 martin const uint8_t *expected, size_t n) 1035 1.1.6.2 martin { 1036 1.1.6.2 martin bool ok = true; 1037 1.1.6.2 martin size_t i; 1038 1.1.6.2 martin 1039 1.1.6.2 martin DUSE(katno); 1040 1.1.6.2 martin DUSE(name); 1041 1.1.6.2 martin 1042 1.1.6.2 martin for (i = 0; i < n; i++) { 1043 1.1.6.2 martin if (actual[i] != expected[i]) { 1044 1.1.6.2 martin DPRINTF("KAT %u %s[%zu] = %02x, expected %02x\n", 1045 1.1.6.2 martin katno, name, i, actual[i], expected[i]); 1046 1.1.6.2 martin ok = false; 1047 1.1.6.2 martin } 1048 1.1.6.2 martin } 1049 1.1.6.2 martin 1050 1.1.6.2 martin return ok; 1051 1.1.6.2 martin } 1052 1.1.6.2 martin 1053 1.1.6.2 martin #ifdef NIST_HASH_DRBG_MAIN 1054 1.1.6.2 martin int 1055 1.1.6.2 martin main(void) 1056 1.1.6.2 martin { 1057 1.1.6.2 martin int ret; 1058 1.1.6.2 martin 1059 1.1.6.2 martin ret = nist_hash_drbg_initialize(); 1060 1.1.6.2 martin 1061 1.1.6.2 martin fflush(stdout); 1062 1.1.6.2 martin return ret || ferror(stdout); 1063 1.1.6.2 martin } 1064 1.1.6.2 martin #endif 1065 1.1.6.2 martin 1066 1.1.6.2 martin int 1068 1.1.6.2 martin nist_hash_drbg_initialize(void) 1069 1.1.6.2 martin { 1070 1.1.6.2 martin const unsigned truncation[] = { 0, 1, 32, 63 }; 1071 1.1.6.2 martin bool ok = true; 1072 1.1.6.2 martin size_t i, j; 1073 1.1.6.2 martin 1074 1.1.6.2 martin for (i = 0; i < arraycount(kat); i++) { 1075 1.1.6.2 martin for (j = 0; j < arraycount(truncation); j++) { 1076 1.1.6.2 martin const unsigned trunc = truncation[j]; 1077 1.1.6.2 martin struct nist_hash_drbg drbg, *D = &drbg; 1078 1.1.6.2 martin uint8_t rnd_val[64]; 1079 1.1.6.2 martin unsigned reseed_counter; 1080 1.1.6.2 martin 1081 1.1.6.2 martin nist_hash_drbg_instantiate(D, 1082 1.1.6.2 martin kat_entropy[0], sizeof kat_entropy[0], 1083 1.1.6.2 martin kat_nonce, sizeof kat_nonce, 1084 1.1.6.2 martin kat[i].personalization->hv_base, 1085 1.1.6.2 martin kat[i].personalization->hv_len); 1086 1.1.6.2 martin reseed_counter = 1; 1087 1.1.6.2 martin CHECK(i, "C", D->C, kat[i].C, SEEDLEN_BYTES); 1088 1.1.6.2 martin CHECK(i, "V[0]", D->V, kat[i].V[0], SEEDLEN_BYTES); 1089 1.1.6.2 martin if (D->reseed_counter != reseed_counter) { 1090 1.1.6.2 martin DPRINTF("bad reseed counter: %u, expected %u", 1091 1.1.6.2 martin D->reseed_counter, reseed_counter); 1092 1.1.6.2 martin ok = false; 1093 1.1.6.2 martin } 1094 1.1.6.2 martin 1095 1.1.6.2 martin if (kat[i].reseed) { 1096 1.1.6.2 martin nist_hash_drbg_reseed(D, 1097 1.1.6.2 martin kat_entropy[1], sizeof kat_entropy[1], 1098 1.1.6.2 martin kat[i].additional[0]->hv_base, 1099 1.1.6.2 martin kat[i].additional[0]->hv_len); 1100 1.1.6.2 martin } 1101 1.1.6.2 martin 1102 1.1.6.2 martin nist_hash_drbg_generate(D, rnd_val, 1103 1.1.6.2 martin sizeof(rnd_val) - trunc, 1104 1.1.6.2 martin kat[i].reseed ? 0 : kat[i].additional[0]->hv_base, 1105 1.1.6.2 martin kat[i].reseed ? 0 : kat[i].additional[0]->hv_len); 1106 1.1.6.2 martin reseed_counter++; 1107 1.1.6.2 martin CHECK(i, "V[1]", D->V, kat[i].V[1], SEEDLEN_BYTES); 1108 1.1.6.2 martin CHECK(i, "rnd_val[0]", rnd_val, kat[i].rnd_val[0], 1109 1.1.6.2 martin sizeof(kat[i].rnd_val[0]) - trunc); 1110 1.1.6.2 martin if (D->reseed_counter != reseed_counter) { 1111 1.1.6.2 martin DPRINTF("bad reseed counter: %u, expected %u", 1112 1.1.6.2 martin D->reseed_counter, reseed_counter); 1113 1.1.6.2 martin ok = false; 1114 1.1.6.2 martin } 1115 1.1.6.2 martin 1116 1.1.6.2 martin if (kat[i].reseed) { 1117 1.1.6.2 martin nist_hash_drbg_reseed(D, 1118 1.1.6.2 martin kat_entropy[2], sizeof kat_entropy[2], 1119 1.1.6.2 martin kat[i].additional[1]->hv_base, 1120 1.1.6.2 martin kat[i].additional[1]->hv_len); 1121 1.1.6.2 martin reseed_counter = 1; 1122 1.1.6.2 martin } 1123 1.1.6.2 martin 1124 1.1.6.2 martin nist_hash_drbg_generate(D, rnd_val, 1125 1.1.6.2 martin sizeof(rnd_val) - trunc, 1126 1.1.6.2 martin kat[i].reseed ? 0 : kat[i].additional[1]->hv_base, 1127 1.1.6.2 martin kat[i].reseed ? 0 : kat[i].additional[1]->hv_len); 1128 reseed_counter++; 1129 CHECK(i, "V[2]", D->V, kat[i].V[2], SEEDLEN_BYTES); 1130 CHECK(i, "rnd_val[1]", rnd_val, kat[i].rnd_val[1], 1131 sizeof(kat[i].rnd_val[1]) - trunc); 1132 if (D->reseed_counter != reseed_counter) { 1133 DPRINTF("bad reseed counter: %u, expected %u", 1134 D->reseed_counter, reseed_counter); 1135 ok = false; 1136 } 1137 1138 nist_hash_drbg_destroy(D); 1139 } 1140 } 1141 1142 if (!ok) 1143 return 1; 1144 return 0; 1145 } 1146
Indexes created Fri Oct 31 11:10:07 GMT 2025