The branch master has been updated via 4d6d787c4937706676355ce241c6e538475295d2 (commit) via 28bdbe1aaa474ae8cd83e520d02e463e46ce89d9 (commit) from 4b5371913ed9bb4bfd8a55a30458932799296ab9 (commit)
- Log ----------------------------------------------------------------- commit 4d6d787c4937706676355ce241c6e538475295d2 Author: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Sat Feb 22 01:34:20 2020 +0100 AES CTR-DRGB: add test for 32-bit counter overflow Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10457) commit 28bdbe1aaa474ae8cd83e520d02e463e46ce89d9 Author: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Fri Nov 15 23:27:09 2019 +0100 AES CTR-DRGB: performance improvement Optimize the the AES-based implementation of the CTR_DRBG construction, see 10.2.1 in [1]. Due to the optimizations, the code may deviate (more) from the pseudocode in [1], but it is functional equivalence being decisive for compliance: "All DRBG mechanisms and algorithms are described in this document in pseudocode, which is intended to explain functionality. The pseudocode is not intended to constrain real-world implementations." [9 in [1]]. The following optimizations are done: - Replace multiple plain AES encryptions by a single AES-ECB encryption of a corresponding pre-initialized buffer, where possible. This allows platform-specific AES-ECB support to be used and reduces the overhead of multiple EVP calls. - Replace the generate operation loop (which is a counter increment followed by a plain AES encryption) by a loop which does a plain AES encryption followed by a counter increment. The latter loop is just a description of AES-CTR, so we replace it by a single AES-CTR encryption. This allows for platform-specific AES-CTR support to be used and reduces the overhead of multiple EVP calls. This change, that is, going from a pre- to a post- counter increment, requires the counter in the internal state to be kept at "+1" (compared to the pseudocode in [1]) such that it is in the correct state, when a generate operation is called. That in turn also requires all other operations to be changed from pre- to post-increment to keep functional equivalence. [1] NIST SP 800-90A Revision 1 Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10457) ----------------------------------------------------------------------- Summary of changes: crypto/rand/drbg_ctr.c | 215 +++++++++++++++++++++++++++----------------- crypto/rand/rand_local.h | 6 +- test/build.info | 7 +- test/drbg_extra_test.c | 94 +++++++++++++++++++ test/drbg_extra_test.h | 188 ++++++++++++++++++++++++++++++++++++++ test/recipes/05-test_rand.t | 2 + 6 files changed, 428 insertions(+), 84 deletions(-) create mode 100644 test/drbg_extra_test.c create mode 100644 test/drbg_extra_test.h diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c index 30420ae579..85b204d3be 100644 --- a/crypto/rand/drbg_ctr.c +++ b/crypto/rand/drbg_ctr.c @@ -12,6 +12,7 @@ #include <openssl/crypto.h> #include <openssl/err.h> #include <openssl/rand.h> +#include "crypto/modes.h" #include "internal/thread_once.h" #include "rand_local.h" @@ -65,15 +66,15 @@ static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen) * Process a complete block using BCC algorithm of SP 800-90A 10.3.3 */ __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out, - const unsigned char *in) + const unsigned char *in, int len) { int i, outlen = AES_BLOCK_SIZE; - for (i = 0; i < 16; i++) + for (i = 0; i < len; i++) out[i] ^= in[i]; - if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, AES_BLOCK_SIZE) - || outlen != AES_BLOCK_SIZE) + if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len) + || outlen != len) return 0; return 1; } @@ -84,12 +85,16 @@ __owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out, */ __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in) { - if (!ctr_BCC_block(ctr, ctr->KX, in) - || !ctr_BCC_block(ctr, ctr->KX + 16, in)) - return 0; - if (ctr->keylen != 16 && !ctr_BCC_block(ctr, ctr->KX + 32, in)) - return 0; - return 1; + unsigned char in_tmp[48]; + unsigned char num_of_blk = 2; + + memcpy(in_tmp, in, 16); + memcpy(in_tmp + 16, in, 16); + if (ctr->keylen != 16) { + memcpy(in_tmp + 32, in, 16); + num_of_blk = 3; + } + return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk); } /* @@ -98,19 +103,14 @@ __owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in) */ __owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr) { + unsigned char bltmp[48] = {0}; + unsigned char num_of_blk; + memset(ctr->KX, 0, 48); - memset(ctr->bltmp, 0, 16); - if (!ctr_BCC_block(ctr, ctr->KX, ctr->bltmp)) - return 0; - ctr->bltmp[3] = 1; - if (!ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp)) - return 0; - if (ctr->keylen != 16) { - ctr->bltmp[3] = 2; - if (!ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp)) - return 0; - } - return 1; + num_of_blk = ctr->keylen == 16 ? 2 : 3; + bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1; + bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2; + return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE); } /* @@ -199,20 +199,20 @@ __owur static int ctr_df(RAND_DRBG_CTR *ctr, || !ctr_BCC_final(ctr)) return 0; /* Set up key K */ - if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->KX, NULL, 1)) + if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1)) return 0; /* X follows key K */ - if (!EVP_CipherUpdate(ctr->ctx, ctr->KX, &outlen, ctr->KX + ctr->keylen, + if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen, AES_BLOCK_SIZE) || outlen != AES_BLOCK_SIZE) return 0; - if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 16, &outlen, ctr->KX, + if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX, AES_BLOCK_SIZE) || outlen != AES_BLOCK_SIZE) return 0; if (ctr->keylen != 16) - if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 32, &outlen, ctr->KX + 16, - AES_BLOCK_SIZE) + if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen, + ctr->KX + 16, AES_BLOCK_SIZE) || outlen != AES_BLOCK_SIZE) return 0; return 1; @@ -231,31 +231,25 @@ __owur static int ctr_update(RAND_DRBG *drbg, { RAND_DRBG_CTR *ctr = &drbg->data.ctr; int outlen = AES_BLOCK_SIZE; + unsigned char V_tmp[48], out[48]; + unsigned char len; /* correct key is already set up. */ + memcpy(V_tmp, ctr->V, 16); inc_128(ctr); - if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outlen, ctr->V, AES_BLOCK_SIZE) - || outlen != AES_BLOCK_SIZE) - return 0; - - /* If keylen longer than 128 bits need extra encrypt */ - if (ctr->keylen != 16) { + memcpy(V_tmp + 16, ctr->V, 16); + if (ctr->keylen == 16) { + len = 32; + } else { inc_128(ctr); - if (!EVP_CipherUpdate(ctr->ctx, ctr->K+16, &outlen, ctr->V, - AES_BLOCK_SIZE) - || outlen != AES_BLOCK_SIZE) - return 0; + memcpy(V_tmp + 32, ctr->V, 16); + len = 48; } - inc_128(ctr); - if (!EVP_CipherUpdate(ctr->ctx, ctr->V, &outlen, ctr->V, AES_BLOCK_SIZE) - || outlen != AES_BLOCK_SIZE) + if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len) + || outlen != len) return 0; - - /* If 192 bit key part of V is on end of K */ - if (ctr->keylen == 24) { - memcpy(ctr->V + 8, ctr->V, 8); - memcpy(ctr->V, ctr->K + 24, 8); - } + memcpy(ctr->K, out, ctr->keylen); + memcpy(ctr->V, out + ctr->keylen, 16); if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) { /* If no input reuse existing derived value */ @@ -270,7 +264,8 @@ __owur static int ctr_update(RAND_DRBG *drbg, ctr_XOR(ctr, in2, in2len); } - if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1)) + if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1) + || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1)) return 0; return 1; } @@ -287,8 +282,10 @@ __owur static int drbg_ctr_instantiate(RAND_DRBG *drbg, memset(ctr->K, 0, sizeof(ctr->K)); memset(ctr->V, 0, sizeof(ctr->V)); - if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1)) + if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)) return 0; + + inc_128(ctr); if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen)) return 0; return 1; @@ -298,20 +295,40 @@ __owur static int drbg_ctr_reseed(RAND_DRBG *drbg, const unsigned char *entropy, size_t entropylen, const unsigned char *adin, size_t adinlen) { + RAND_DRBG_CTR *ctr = &drbg->data.ctr; + if (entropy == NULL) return 0; + + inc_128(ctr); if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0)) return 0; return 1; } +static void ctr96_inc(unsigned char *counter) +{ + u32 n = 12, c = 1; + + do { + --n; + c += counter[n]; + counter[n] = (u8)c; + c >>= 8; + } while (n); +} + __owur static int drbg_ctr_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen, const unsigned char *adin, size_t adinlen) { RAND_DRBG_CTR *ctr = &drbg->data.ctr; + unsigned int ctr32, blocks; + int outl, buflen; if (adin != NULL && adinlen != 0) { + inc_128(ctr); + if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0)) return 0; /* This means we reuse derived value */ @@ -323,28 +340,51 @@ __owur static int drbg_ctr_generate(RAND_DRBG *drbg, adinlen = 0; } - for ( ; ; ) { - int outl = AES_BLOCK_SIZE; + inc_128(ctr); + if (outlen == 0) { inc_128(ctr); - if (outlen < 16) { - /* Use K as temp space as it will be updated */ - if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outl, ctr->V, - AES_BLOCK_SIZE) - || outl != AES_BLOCK_SIZE) - return 0; - memcpy(out, ctr->K, outlen); - break; - } - if (!EVP_CipherUpdate(ctr->ctx, out, &outl, ctr->V, AES_BLOCK_SIZE) - || outl != AES_BLOCK_SIZE) + + if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0)) return 0; - out += 16; - outlen -= 16; - if (outlen == 0) - break; + return 1; } + memset(out, 0, outlen); + + do { + if (!EVP_CipherInit_ex(ctr->ctx_ctr, + NULL, NULL, NULL, ctr->V, -1)) + return 0; + + /*- + * outlen has type size_t while EVP_CipherUpdate takes an + * int argument and thus cannot be guaranteed to process more + * than 2^31-1 bytes at a time. We process such huge generate + * requests in 2^30 byte chunks, which is the greatest multiple + * of AES block size lower than or equal to 2^31-1. + */ + buflen = outlen > (1U << 30) ? (1U << 30) : outlen; + blocks = (buflen + 15) / 16; + + ctr32 = GETU32(ctr->V + 12) + blocks; + if (ctr32 < blocks) { + /* 32-bit counter overflow into V. */ + blocks -= ctr32; + buflen = blocks * 16; + ctr32 = 0; + ctr96_inc(ctr->V); + } + PUTU32(ctr->V + 12, ctr32); + + if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen) + || outl != buflen) + return 0; + + out += buflen; + outlen -= buflen; + } while (outlen); + if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0)) return 0; return 1; @@ -352,9 +392,11 @@ __owur static int drbg_ctr_generate(RAND_DRBG *drbg, static int drbg_ctr_uninstantiate(RAND_DRBG *drbg) { - EVP_CIPHER_CTX_free(drbg->data.ctr.ctx); + EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ecb); + EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ctr); EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df); - EVP_CIPHER_free(drbg->data.ctr.cipher); + EVP_CIPHER_free(drbg->data.ctr.cipher_ecb); + EVP_CIPHER_free(drbg->data.ctr.cipher_ctr); OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr)); return 1; } @@ -370,7 +412,8 @@ int drbg_ctr_init(RAND_DRBG *drbg) { RAND_DRBG_CTR *ctr = &drbg->data.ctr; size_t keylen; - EVP_CIPHER *cipher = NULL; + EVP_CIPHER *cipher_ecb = NULL; + EVP_CIPHER *cipher_ctr = NULL; switch (drbg->type) { default: @@ -378,30 +421,41 @@ int drbg_ctr_init(RAND_DRBG *drbg) return 0; case NID_aes_128_ctr: keylen = 16; - cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-128-ECB", ""); + cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-128-ECB", ""); + cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-128-CTR", ""); break; case NID_aes_192_ctr: keylen = 24; - cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-192-ECB", ""); + cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-192-ECB", ""); + cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-192-CTR", ""); break; case NID_aes_256_ctr: keylen = 32; - cipher = EVP_CIPHER_fetch(drbg->libctx, "AES-256-ECB", ""); + cipher_ecb = EVP_CIPHER_fetch(drbg->libctx, "AES-256-ECB", ""); + cipher_ctr = EVP_CIPHER_fetch(drbg->libctx, "AES-256-CTR", ""); break; } - if (cipher == NULL) + if (cipher_ecb == NULL || cipher_ctr == NULL) return 0; - EVP_CIPHER_free(ctr->cipher); - ctr->cipher = cipher; - - drbg->meth = &drbg_ctr_meth; + EVP_CIPHER_free(ctr->cipher_ecb); + ctr->cipher_ecb = cipher_ecb; + EVP_CIPHER_free(ctr->cipher_ctr); + ctr->cipher_ctr = cipher_ctr; ctr->keylen = keylen; - if (ctr->ctx == NULL) - ctr->ctx = EVP_CIPHER_CTX_new(); - if (ctr->ctx == NULL) + if (ctr->ctx_ecb == NULL) + ctr->ctx_ecb = EVP_CIPHER_CTX_new(); + if (ctr->ctx_ctr == NULL) + ctr->ctx_ctr = EVP_CIPHER_CTX_new(); + if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL + || !EVP_CipherInit_ex(ctr->ctx_ecb, + ctr->cipher_ecb, NULL, NULL, NULL, 1) + || !EVP_CipherInit_ex(ctr->ctx_ctr, + ctr->cipher_ctr, NULL, NULL, NULL, 1)) return 0; + + drbg->meth = &drbg_ctr_meth; drbg->strength = keylen * 8; drbg->seedlen = keylen + 16; @@ -419,7 +473,8 @@ int drbg_ctr_init(RAND_DRBG *drbg) if (ctr->ctx_df == NULL) return 0; /* Set key schedule for df_key */ - if (!EVP_CipherInit_ex(ctr->ctx_df, ctr->cipher, NULL, df_key, NULL, 1)) + if (!EVP_CipherInit_ex(ctr->ctx_df, + ctr->cipher_ecb, NULL, df_key, NULL, 1)) return 0; drbg->min_entropylen = ctr->keylen; diff --git a/crypto/rand/rand_local.h b/crypto/rand/rand_local.h index ce16892531..646c0c33fd 100644 --- a/crypto/rand/rand_local.h +++ b/crypto/rand/rand_local.h @@ -175,9 +175,11 @@ typedef struct rand_drbg_hmac_st { * The state of a DRBG AES-CTR. */ typedef struct rand_drbg_ctr_st { - EVP_CIPHER_CTX *ctx; + EVP_CIPHER_CTX *ctx_ecb; + EVP_CIPHER_CTX *ctx_ctr; EVP_CIPHER_CTX *ctx_df; - EVP_CIPHER *cipher; + EVP_CIPHER *cipher_ecb; + EVP_CIPHER *cipher_ctr; size_t keylen; unsigned char K[32]; unsigned char V[16]; diff --git a/test/build.info b/test/build.info index fcf2ac57ac..6f00d1a141 100644 --- a/test/build.info +++ b/test/build.info @@ -49,8 +49,7 @@ IF[{- !$disabled{tests} -}] cipherbytes_test \ asn1_encode_test asn1_decode_test asn1_string_table_test \ x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \ - recordlentest drbgtest sslbuffertest \ - recordlentest drbgtest drbg_cavs_test sslbuffertest \ + recordlentest drbgtest drbg_cavs_test drbg_extra_test sslbuffertest \ time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \ servername_test ocspapitest fatalerrtest tls13ccstest \ sysdefaulttest errtest ssl_ctx_test gosttest \ @@ -357,6 +356,10 @@ IF[{- !$disabled{tests} -}] INCLUDE[drbg_cavs_test]=../include ../apps/include . .. ../crypto/include DEPEND[drbg_cavs_test]=../libcrypto libtestutil.a + SOURCE[drbg_extra_test]=drbg_extra_test.c + INCLUDE[drbg_extra_test]=../include . .. ../apps/include + DEPEND[drbg_extra_test]=../libcrypto libtestutil.a + SOURCE[x509_dup_cert_test]=x509_dup_cert_test.c INCLUDE[x509_dup_cert_test]=../include ../apps/include DEPEND[x509_dup_cert_test]=../libcrypto libtestutil.a diff --git a/test/drbg_extra_test.c b/test/drbg_extra_test.c new file mode 100644 index 0000000000..642f744932 --- /dev/null +++ b/test/drbg_extra_test.c @@ -0,0 +1,94 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <string.h> +#include "internal/nelem.h" +#include <openssl/crypto.h> +#include <openssl/err.h> +#include <openssl/rand.h> +#include <openssl/obj_mac.h> +#include <openssl/evp.h> +#include <openssl/aes.h> +#include "../crypto/rand/rand_local.h" + +#include "testutil.h" +#include "drbg_extra_test.h" + +static unsigned char zerobuff[32]; + +static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance) +{ + *pout = zerobuff; + return sizeof(zerobuff); +} + +static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + *pout = zerobuff; + return sizeof(zerobuff); +} + +static int run_extra_kat(const struct drbg_extra_kat *td) +{ + unsigned long long i; + RAND_DRBG *drbg = NULL; + unsigned char buff[BUFFSIZE]; + unsigned int flags = 0; + int failures = 0; + + if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, flags, NULL))) + return 0; + + /* Set deterministic entropy callback. */ + if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, + kat_nonce, NULL))) { + failures++; + goto err; + } + + /* Set fixed reseed intervall. */ + if (!TEST_true(RAND_DRBG_set_reseed_interval(drbg, RESEEDINTERVAL))) { + failures++; + goto err; + } + + if (!TEST_true(RAND_DRBG_instantiate(drbg, NULL, 0))) + failures++; + + for (i = 0; i < td->ngen; i++) { + if(!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, + 0))) + failures++; + } + + if (!TEST_true(RAND_DRBG_uninstantiate(drbg)) + || !TEST_mem_eq(td->expected, sizeof(buff), buff, sizeof(buff))) + failures++; + +err: + if (drbg != NULL) { + RAND_DRBG_uninstantiate(drbg); + RAND_DRBG_free(drbg); + } + return failures == 0; +} + +static int test_extra_kats(int i) +{ + return run_extra_kat(drbg_extra_test[i]); +} + +int setup_tests(void) +{ + ADD_ALL_TESTS(test_extra_kats, OSSL_NELEM(drbg_extra_test)); + return 1; +} diff --git a/test/drbg_extra_test.h b/test/drbg_extra_test.h new file mode 100644 index 0000000000..4c771573d1 --- /dev/null +++ b/test/drbg_extra_test.h @@ -0,0 +1,188 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Self generated known answer test (KATs) for NIST SP800-90A AES CTR_DRBG. + * Test overflow of V after |ngen| generate operation. + */ + +#include <stddef.h> + +#ifndef DRBG_EXTRA_TEST_H +# define DRBG_EXTRA_TEST_H + +# define BUFFSIZE 512 +# define RESEEDINTERVAL ((1 << 24) - 1) + +struct drbg_extra_kat { + int nid; + const unsigned char *expected; + unsigned long long ngen; +}; + +static const unsigned char expected128[BUFFSIZE] = { + 0x39, 0x10, 0x06, 0x64, 0x68, 0x7d, 0x77, 0x64, 0xf9, 0xb8, 0xe8, 0x3c, + 0x55, 0xb0, 0xf1, 0x8c, 0xeb, 0x11, 0x23, 0x50, 0x15, 0x28, 0x44, 0x38, + 0x84, 0x47, 0x7b, 0xc2, 0x78, 0x16, 0x73, 0x57, 0x9f, 0x01, 0x57, 0xf0, + 0x17, 0x14, 0xa3, 0xa8, 0xdf, 0x3b, 0x87, 0x78, 0x37, 0xf8, 0x53, 0x23, + 0x18, 0xd2, 0xbc, 0x82, 0xc5, 0xed, 0x51, 0x84, 0x30, 0x14, 0xaa, 0x01, + 0xb8, 0xb5, 0xed, 0x33, 0x14, 0xe7, 0x6c, 0xa7, 0x38, 0x02, 0x60, 0x69, + 0x52, 0x0f, 0x5b, 0x7f, 0x4c, 0x82, 0x25, 0x05, 0x10, 0xaa, 0xd5, 0xc6, + 0xac, 0x44, 0x7c, 0xef, 0x0f, 0x69, 0xc7, 0x4d, 0x07, 0x54, 0x83, 0xb5, + 0xf2, 0x05, 0x0f, 0x69, 0xfd, 0x85, 0x8f, 0x63, 0x27, 0xe6, 0xff, 0xa5, + 0x26, 0xd9, 0xf0, 0x8b, 0x31, 0x89, 0xbc, 0x51, 0xb8, 0x62, 0x06, 0x88, + 0xe7, 0x95, 0xa7, 0x69, 0x7d, 0x43, 0x9c, 0x2b, 0x3c, 0x59, 0x9f, 0xa9, + 0x63, 0xa3, 0x80, 0x1b, 0xe9, 0x96, 0x6b, 0xde, 0xf2, 0xdb, 0x0c, 0x07, + 0x22, 0xb1, 0x30, 0xd0, 0x08, 0x66, 0x23, 0x31, 0x63, 0xd2, 0x86, 0xbf, + 0x6e, 0xcb, 0x44, 0xb7, 0x6a, 0x44, 0xac, 0xe6, 0x53, 0x0b, 0x32, 0x20, + 0xb6, 0xcb, 0x10, 0x22, 0x57, 0xa5, 0x7f, 0x7d, 0x9e, 0x83, 0xb9, 0xdb, + 0x27, 0x1b, 0x04, 0xf5, 0x67, 0x94, 0x6e, 0x44, 0xba, 0x77, 0xc2, 0xf6, + 0x6a, 0xcd, 0xfa, 0x71, 0x44, 0x07, 0x5e, 0x09, 0x6f, 0x42, 0x5c, 0x06, + 0x55, 0x4f, 0xae, 0xc7, 0x53, 0x73, 0x89, 0x80, 0x2d, 0x5a, 0x73, 0x3c, + 0x11, 0x8f, 0x76, 0xa1, 0x3b, 0xb6, 0xbe, 0x6b, 0xd2, 0x1f, 0xa7, 0x63, + 0x7c, 0x99, 0x46, 0x3d, 0x6b, 0x0d, 0x2a, 0xfe, 0x10, 0x00, 0x77, 0x43, + 0x5b, 0xd0, 0x52, 0x79, 0x8d, 0x1d, 0xfd, 0xe2, 0x9a, 0xac, 0x5c, 0x77, + 0x69, 0x68, 0xec, 0xf1, 0x92, 0xa8, 0xb7, 0x26, 0xcd, 0x64, 0xef, 0x8f, + 0x55, 0xa0, 0x83, 0x3f, 0x27, 0xf0, 0x34, 0xc3, 0x61, 0x74, 0xf9, 0x44, + 0x2d, 0xe1, 0xb3, 0xad, 0x02, 0xc2, 0x45, 0x40, 0x40, 0xc0, 0x0f, 0x05, + 0x72, 0xdb, 0x71, 0xae, 0x84, 0x4c, 0x3d, 0xd0, 0x61, 0x5d, 0x79, 0x52, + 0x16, 0xb1, 0x02, 0x07, 0xaf, 0xfa, 0x9a, 0xe0, 0x21, 0xbf, 0x1c, 0xc4, + 0x21, 0xf9, 0x76, 0x95, 0xc4, 0x92, 0x57, 0xb7, 0x1e, 0xce, 0xb8, 0xd5, + 0x1c, 0x68, 0x7c, 0xed, 0x8f, 0x45, 0x09, 0x0b, 0xef, 0x30, 0x68, 0xab, + 0x5f, 0x26, 0x4a, 0xf2, 0x8a, 0x55, 0x97, 0x3d, 0x1c, 0xa0, 0x33, 0x20, + 0x10, 0x9e, 0x10, 0x77, 0x93, 0xa2, 0xcb, 0x72, 0x33, 0xf3, 0x6f, 0xdc, + 0x41, 0x46, 0x83, 0xb1, 0x59, 0x22, 0xf0, 0x9b, 0x9f, 0x50, 0x9f, 0x14, + 0x2e, 0xe0, 0xb8, 0xa3, 0xf7, 0x40, 0x9d, 0xe0, 0x76, 0x78, 0xa6, 0xd4, + 0xf6, 0xd4, 0x29, 0x33, 0x97, 0x76, 0x54, 0xdf, 0x3e, 0xf0, 0x82, 0x9f, + 0x4f, 0xf1, 0x0b, 0x0a, 0x61, 0xa2, 0x3f, 0xde, 0xda, 0xfe, 0x93, 0xe1, + 0x51, 0x19, 0x93, 0x8c, 0xc0, 0x07, 0x76, 0xdb, 0x4a, 0x9c, 0xef, 0x42, + 0x5f, 0x7b, 0x5b, 0x2c, 0xff, 0xe7, 0x5f, 0x6d, 0xcb, 0x7e, 0x9b, 0xc9, + 0xf3, 0x94, 0xe9, 0x73, 0xd6, 0xa3, 0x00, 0x7d, 0x11, 0xf8, 0xd6, 0x58, + 0x97, 0x3e, 0xdf, 0xb9, 0xd5, 0x57, 0xde, 0x51, 0x9e, 0x39, 0x5d, 0x59, + 0xe5, 0x50, 0x29, 0x3e, 0x58, 0x90, 0x37, 0xa6, 0xcc, 0x06, 0x89, 0xb1, + 0xa6, 0xa7, 0xef, 0x96, 0x30, 0xf5, 0xc1, 0xea, 0x03, 0xde, 0x46, 0x9a, + 0x5f, 0xa2, 0x5d, 0xb6, 0x74, 0xfd, 0xbf, 0xde, 0x77, 0x8e, 0x3e, 0x90, + 0x55, 0x3b, 0x4d, 0x59, 0xde, 0x19, 0x43, 0xcd, 0x5d, 0x1b, 0xba, 0x29, + 0xa9, 0x59, 0xad, 0xef, 0x2d, 0x9c, 0x3b, 0xc0 +}; +static const struct drbg_extra_kat drbg_extra_test128 = { + NID_aes_128_ctr, + expected128, + 61335566ULL +}; + +static const unsigned char expected192[BUFFSIZE] = { + 0x19, 0x1b, 0xe3, 0xa9, 0x58, 0xb4, 0xcc, 0x3a, 0x3a, 0x06, 0x30, 0x6a, + 0xdc, 0x8c, 0x78, 0xb2, 0x1e, 0xb5, 0x83, 0xa0, 0x04, 0x72, 0xae, 0xed, + 0xae, 0x88, 0x7c, 0x63, 0x8b, 0xe6, 0x20, 0x9b, 0xb4, 0x04, 0x14, 0xa9, + 0x83, 0xce, 0xb4, 0xd1, 0x69, 0xc2, 0x00, 0xa5, 0xf4, 0x45, 0xdb, 0xa1, + 0xcb, 0xd7, 0xfe, 0xf7, 0x19, 0x5d, 0x4d, 0x26, 0x7d, 0x7a, 0x2f, 0xde, + 0xc1, 0xb3, 0x8e, 0x3e, 0x19, 0xd1, 0xff, 0x25, 0x9b, 0x81, 0x90, 0x11, + 0x71, 0xb6, 0x08, 0x46, 0x76, 0x58, 0xca, 0x78, 0xae, 0xc3, 0x90, 0x29, + 0x07, 0x07, 0x85, 0x9d, 0x90, 0xd9, 0xf5, 0x5a, 0x8d, 0x28, 0x87, 0xd3, + 0x88, 0xd1, 0x14, 0xc1, 0xa8, 0x96, 0xa3, 0x7e, 0x6b, 0xe4, 0x1d, 0xf6, + 0x0d, 0xfb, 0x3d, 0xee, 0xa9, 0x8c, 0x70, 0xc9, 0x3f, 0x87, 0xad, 0x57, + 0xd9, 0xe3, 0x4e, 0xfc, 0x03, 0xeb, 0x79, 0xb8, 0xb9, 0xe9, 0xe4, 0x55, + 0x78, 0x4b, 0xdb, 0xfa, 0xb6, 0x5e, 0x1e, 0x5b, 0xab, 0x11, 0x35, 0x3c, + 0x97, 0x10, 0x0d, 0x7e, 0x68, 0x47, 0x1a, 0xd0, 0x59, 0xac, 0x41, 0x61, + 0x8e, 0xfc, 0xd1, 0x12, 0xf6, 0x81, 0x44, 0x5c, 0x78, 0xe4, 0x32, 0x2f, + 0xa5, 0x4c, 0x6e, 0xf8, 0xbf, 0x35, 0xc2, 0x66, 0xc0, 0x04, 0x77, 0x2e, + 0x1d, 0xe9, 0xc9, 0x8f, 0xca, 0xd7, 0x2a, 0xf0, 0x35, 0x34, 0x3a, 0xf6, + 0x7e, 0x0d, 0xc6, 0xc2, 0x4a, 0xd0, 0x91, 0x5d, 0xf5, 0x47, 0xdb, 0x32, + 0x88, 0x52, 0x98, 0xf0, 0xca, 0xc9, 0x57, 0x34, 0x10, 0xca, 0xfa, 0x9d, + 0x23, 0x61, 0x41, 0x55, 0xc8, 0x65, 0xa4, 0x4e, 0xa5, 0x8b, 0x1a, 0xdc, + 0x14, 0x80, 0x26, 0xe7, 0x72, 0x98, 0x90, 0x14, 0x01, 0x52, 0xa4, 0x9f, + 0x55, 0xe4, 0xaa, 0x15, 0x20, 0xd4, 0x34, 0x3f, 0x36, 0xce, 0x93, 0x5d, + 0x7b, 0x49, 0x29, 0x3f, 0xef, 0x78, 0xe9, 0x2e, 0x4c, 0x87, 0xa1, 0xb6, + 0x28, 0xb7, 0xa3, 0xb4, 0x49, 0x84, 0xf5, 0x5d, 0x24, 0x7d, 0x57, 0x57, + 0x79, 0xf5, 0xa1, 0x67, 0x5b, 0x8c, 0x59, 0x43, 0x3a, 0x1f, 0x10, 0x51, + 0x57, 0xa0, 0xe5, 0x18, 0xba, 0xdd, 0xca, 0x2d, 0xa9, 0xc5, 0xef, 0xad, + 0x7e, 0xd5, 0x17, 0xa3, 0x66, 0xe0, 0x93, 0x00, 0xda, 0xfc, 0x90, 0x89, + 0x64, 0x01, 0x10, 0x6a, 0xe7, 0x51, 0x7e, 0x5c, 0x16, 0x87, 0x4a, 0xc2, + 0x04, 0x27, 0x5c, 0x71, 0xdb, 0xcb, 0xb4, 0x70, 0xfc, 0x5e, 0xfb, 0xce, + 0xba, 0xc8, 0x20, 0x80, 0x5d, 0x73, 0xdb, 0xb4, 0x30, 0x8b, 0xfc, 0xcf, + 0xd1, 0x09, 0xa1, 0x93, 0xa3, 0x3e, 0x86, 0x76, 0x86, 0x5a, 0xa4, 0xba, + 0xda, 0xb8, 0x03, 0x1d, 0x69, 0x99, 0x29, 0xef, 0xe1, 0x7b, 0x6a, 0xd3, + 0x95, 0x9e, 0x98, 0x5a, 0x39, 0xb0, 0xde, 0x53, 0x49, 0x09, 0x7d, 0xdd, + 0x89, 0xed, 0x90, 0xc6, 0xa3, 0x8c, 0xe6, 0x15, 0x2f, 0x5a, 0x47, 0x8a, + 0x66, 0xf7, 0x1f, 0x38, 0x9e, 0xae, 0x9b, 0x46, 0x71, 0x96, 0x21, 0xbf, + 0x9f, 0x8e, 0x60, 0x2c, 0xda, 0xd6, 0x38, 0xf0, 0xc5, 0xe6, 0x27, 0x4b, + 0xfa, 0xc2, 0x13, 0x1a, 0x6b, 0xf5, 0x47, 0x97, 0x2f, 0xd0, 0x34, 0xe7, + 0x71, 0x9f, 0x8b, 0xc7, 0x22, 0xec, 0x97, 0x38, 0xe2, 0x07, 0x2b, 0x02, + 0x76, 0xf7, 0xb5, 0xdc, 0x55, 0xaf, 0x8e, 0xe6, 0x92, 0x57, 0x82, 0x82, + 0xf2, 0x1e, 0x10, 0x37, 0x40, 0xc4, 0x91, 0x25, 0xa7, 0x5c, 0xed, 0x1b, + 0x61, 0xc7, 0xc4, 0x47, 0xac, 0xe5, 0xb8, 0x7b, 0xdc, 0xfc, 0xaa, 0xd4, + 0x0c, 0xcc, 0x93, 0xee, 0x69, 0xd7, 0x35, 0xcf, 0xd7, 0x47, 0x05, 0xfc, + 0x88, 0xeb, 0x29, 0x0b, 0x62, 0x8e, 0x51, 0xb0, 0xd6, 0x71, 0xa0, 0xf2, + 0x17, 0x74, 0x1a, 0x2d, 0x4f, 0xb0, 0xd9, 0x8b +}; +static const struct drbg_extra_kat drbg_extra_test192 = { + NID_aes_192_ctr, + expected192, + 10132467ULL +}; + +static const unsigned char expected256[BUFFSIZE] = { + 0x3f, 0x6d, 0x24, 0x4d, 0xe8, 0xdf, 0x93, 0xe5, 0xde, 0x4f, 0xba, 0x25, + 0x9c, 0x97, 0xfa, 0xbb, 0x78, 0x6f, 0xe7, 0xce, 0x74, 0x66, 0xa3, 0x81, + 0xf1, 0x0e, 0xf9, 0xea, 0xb6, 0xfc, 0xc2, 0xc5, 0xf0, 0x25, 0x0d, 0x45, + 0x45, 0x8a, 0x3e, 0xf2, 0x93, 0xf3, 0x2c, 0x41, 0x46, 0x2d, 0x58, 0x56, + 0x7e, 0x6a, 0x5c, 0x8a, 0x51, 0x3f, 0xd1, 0x76, 0x09, 0x6d, 0xf4, 0xf0, + 0x01, 0x8f, 0x60, 0x68, 0x9c, 0x52, 0xb2, 0xb1, 0xd2, 0x3e, 0x07, 0x10, + 0xab, 0x6c, 0xc9, 0x78, 0x22, 0xf4, 0xde, 0xbc, 0xee, 0x23, 0xa9, 0xb5, + 0x81, 0x2c, 0x4c, 0xf7, 0xd6, 0x35, 0x53, 0x1f, 0x66, 0x42, 0x1d, 0x7a, + 0x6d, 0x6e, 0x56, 0x8d, 0xbc, 0x03, 0xac, 0x76, 0x6c, 0x46, 0x4a, 0x80, + 0x87, 0x97, 0x62, 0xc6, 0xe8, 0x21, 0x35, 0xbd, 0x1d, 0x17, 0x28, 0x80, + 0x79, 0x6a, 0xe0, 0xc5, 0x33, 0x51, 0x38, 0xa6, 0xdf, 0x8d, 0xf6, 0xb3, + 0x69, 0x4f, 0x3b, 0xb2, 0xb1, 0x8e, 0x28, 0x8a, 0x3b, 0xba, 0x80, 0x43, + 0x7a, 0x92, 0x5e, 0x11, 0xd7, 0x4a, 0x8d, 0xa5, 0xee, 0x7c, 0x30, 0x69, + 0x7c, 0x27, 0x0f, 0xb8, 0x10, 0xd4, 0x32, 0x5f, 0xad, 0x27, 0xf4, 0xf1, + 0x31, 0xfe, 0x41, 0x08, 0x8c, 0x09, 0xe5, 0x9c, 0x55, 0x97, 0xa5, 0x38, + 0x7f, 0x72, 0x5b, 0x0a, 0xb3, 0x44, 0x2d, 0x4f, 0x65, 0xba, 0x74, 0x0c, + 0x35, 0x2f, 0x57, 0xfb, 0x21, 0x9c, 0x80, 0x2a, 0xd8, 0x0d, 0x56, 0xa7, + 0x99, 0x8b, 0xd9, 0xaf, 0x6f, 0x45, 0x06, 0x94, 0xf5, 0x6f, 0x56, 0x32, + 0x3d, 0x6c, 0xd6, 0x91, 0x30, 0x88, 0xdd, 0x61, 0x79, 0xa8, 0xac, 0x03, + 0xcf, 0x1c, 0x53, 0xd4, 0xdf, 0x6f, 0x39, 0x9c, 0x9f, 0xa9, 0xb5, 0x8c, + 0x8b, 0xc3, 0x20, 0x89, 0x5e, 0xf9, 0x74, 0x0c, 0xda, 0x7b, 0x2a, 0x22, + 0xa4, 0xcc, 0x00, 0x78, 0x66, 0x5e, 0xe5, 0x49, 0x5b, 0x3e, 0xfe, 0x85, + 0xcd, 0x9a, 0xa7, 0xcd, 0xb0, 0xf1, 0x2b, 0xe7, 0x3b, 0x23, 0x09, 0xb2, + 0x26, 0x66, 0x6c, 0x64, 0xd9, 0x35, 0x69, 0xd4, 0xfe, 0xc1, 0x3f, 0xbd, + 0xf3, 0x15, 0x15, 0x83, 0x1f, 0x92, 0x5f, 0x25, 0x0b, 0x1f, 0x54, 0xeb, + 0xfc, 0x40, 0x96, 0xb4, 0x71, 0x2a, 0x3b, 0xa3, 0x94, 0xfa, 0x41, 0xfa, + 0x43, 0x4e, 0xf1, 0x85, 0xc4, 0x2d, 0x40, 0xf0, 0x1a, 0x0d, 0x88, 0xf2, + 0xd4, 0x1f, 0x9d, 0x80, 0x69, 0x56, 0xb1, 0xa4, 0xcb, 0xa1, 0x35, 0x98, + 0xda, 0xa4, 0xa3, 0x6d, 0xd8, 0x01, 0x98, 0xe0, 0x2e, 0x13, 0xc2, 0x7d, + 0x74, 0x6a, 0x62, 0x7a, 0xef, 0x93, 0x65, 0x94, 0x37, 0xa6, 0x5b, 0xcb, + 0x23, 0xe6, 0x23, 0x3d, 0xa5, 0x7e, 0x30, 0x59, 0x36, 0x85, 0xee, 0xfb, + 0xe8, 0x33, 0x3c, 0xf5, 0xc3, 0x4e, 0xf2, 0xc4, 0x70, 0xc8, 0x4f, 0x00, + 0x39, 0x7d, 0x20, 0x7f, 0x72, 0x57, 0xd9, 0xb9, 0xf6, 0xfe, 0xf2, 0x50, + 0x44, 0xed, 0x53, 0xdc, 0xd6, 0xd5, 0x1f, 0x94, 0xea, 0x62, 0x9e, 0x64, + 0x23, 0xd6, 0x6d, 0x8a, 0x6e, 0xfb, 0xc2, 0xb3, 0x7e, 0x72, 0x26, 0xad, + 0x31, 0x30, 0x81, 0xb7, 0x62, 0x10, 0xaf, 0x8e, 0x45, 0x74, 0x6e, 0x8f, + 0x07, 0x5a, 0xfe, 0xe3, 0xa7, 0xe8, 0x47, 0x80, 0x7e, 0x1d, 0xb5, 0x8c, + 0xab, 0xcb, 0x0b, 0x95, 0xb2, 0x95, 0x64, 0x5e, 0xea, 0x42, 0x14, 0x6f, + 0x6b, 0xe4, 0x81, 0x51, 0x78, 0xb4, 0x0e, 0x0c, 0x6e, 0x22, 0x31, 0xb2, + 0x50, 0xd9, 0x78, 0xc6, 0xfa, 0xa4, 0xb6, 0xf4, 0x17, 0x20, 0xbe, 0xe3, + 0x69, 0xfa, 0x6c, 0xb9, 0x98, 0xad, 0xca, 0xba, 0x72, 0xa2, 0x22, 0x4c, + 0x0a, 0xb3, 0x6d, 0x9b, 0x11, 0x8a, 0x59, 0x06, 0xf1, 0xda, 0x43, 0xc2, + 0xae, 0xb0, 0x80, 0x35, 0x86, 0xbf, 0xf0, 0x8c +}; +static const struct drbg_extra_kat drbg_extra_test256 = { + NID_aes_256_ctr, + expected256, + 40870394ULL +}; + +static const struct drbg_extra_kat *drbg_extra_test[] = { + &drbg_extra_test128, + &drbg_extra_test192, + &drbg_extra_test256, +}; + +#endif diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t index f376edd18a..70035e9b27 100644 --- a/test/recipes/05-test_rand.t +++ b/test/recipes/05-test_rand.t @@ -15,3 +15,5 @@ setup("test_rand"); ok(run(test(["drbgtest"]))); ok(run(test(["drbg_cavs_test"]))); +# commented out due to long running time +#ok(run(test(["drbg_extra_test"])));