LCOV - code coverage report
Current view: top level - random - random-drbg.c (source / functions) Hit Total Coverage
Test: coverage.info Lines: 207 787 26.3 %
Date: 2016-09-12 12:56:58 Functions: 22 49 44.9 %

          Line data    Source code
       1             : /* random-drbg.c - Deterministic Random Bits Generator
       2             :  * Copyright 2014 Stephan Mueller <smueller@chronox.de>
       3             :  *
       4             :  * DRBG: Deterministic Random Bits Generator
       5             :  *       Based on NIST Recommended DRBG from NIST SP800-90A with the following
       6             :  *       properties:
       7             :  *              * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
       8             :  *              * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
       9             :  *              * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
      10             :  *              * with and without prediction resistance
      11             :  *
      12             :  * Redistribution and use in source and binary forms, with or without
      13             :  * modification, are permitted provided that the following conditions
      14             :  * are met:
      15             :  * 1. Redistributions of source code must retain the above copyright
      16             :  *    notice, and the entire permission notice in its entirety,
      17             :  *    including the disclaimer of warranties.
      18             :  * 2. Redistributions in binary form must reproduce the above copyright
      19             :  *    notice, this list of conditions and the following disclaimer in the
      20             :  *    documentation and/or other materials provided with the distribution.
      21             :  * 3. The name of the author may not be used to endorse or promote
      22             :  *    products derived from this software without specific prior
      23             :  *    written permission.
      24             :  *
      25             :  * ALTERNATIVELY, this product may be distributed under the terms of
      26             :  * LGPLv2+, in which case the provisions of the LGPL are
      27             :  * required INSTEAD OF the above restrictions.  (This clause is
      28             :  * necessary due to a potential bad interaction between the LGPL and
      29             :  * the restrictions contained in a BSD-style copyright.)
      30             :  *
      31             :  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
      32             :  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
      33             :  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
      34             :  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
      35             :  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
      36             :  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
      37             :  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
      38             :  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
      39             :  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
      40             :  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
      41             :  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
      42             :  * DAMAGE.
      43             :  *
      44             :  *
      45             :  * gcry_control GCRYCTL_DRBG_REINIT
      46             :  * ================================
      47             :  * This control request re-initializes the DRBG completely, i.e. the entire
      48             :  * state of the DRBG is zeroized (with two exceptions listed in
      49             :  * GCRYCTL_DRBG_SET_ENTROPY).
      50             :  *
      51             :  * The control request takes the following values which influences how
      52             :  * the DRBG is re-initialized:
      53             :  *
      54             :  *  - const char *flagstr
      55             :  *
      56             :  *      This variable specifies the DRBG type to be used for the next
      57             :  *      initialization.  If set to NULL, the previous DRBG type is
      58             :  *      used for the initialization.  If not NULL a space separated
      59             :  *      list of tokens with associated flag values is expected which
      60             :  *      are ORed to form the mandatory flags of the requested DRBG
      61             :  *      strength and cipher type.  Optionally, the prediction
      62             :  *      resistance flag can be ORed into the flags variable.
      63             :  *
      64             :  *      | String token | Flag value             |
      65             :  *      |--------------+------------------------|
      66             :  *      | aes          | DRBG_CTRAES            |
      67             :  *      | serpent      | DRBG_CTRSERPENT        |
      68             :  *      | twofish      | DRBG_CTRTWOFISH        |
      69             :  *      | sha1         | DRBG_HASHSHA1          |
      70             :  *      | sha256       | DRBG_HASHSHA256        |
      71             :  *      | sha512       | DRBG_HASHSHA512        |
      72             :  *      | hmac         | DRBG_HMAC              |
      73             :  *      | sym128       | DRBG_SYM128            |
      74             :  *      | sym192       | DRBG_SYM192            |
      75             :  *      | sym256       | DRBG_SYM256            |
      76             :  *      | pr           | DRBG_PREDICTION_RESIST |
      77             :  *
      78             :  *    For example:
      79             :  *
      80             :  *      - CTR-DRBG with AES-128 without prediction resistance:
      81             :  *          "aes sym128"
      82             :  *      - HMAC-DRBG with SHA-512 with prediction resistance:
      83             :  *          "hmac sha512 pr"
      84             :  *
      85             :  *  - gcry_buffer_t *pers
      86             :  *
      87             :  *      NULL terminated array with personalization strings to be used
      88             :  *      for initialization.
      89             :  *
      90             :  *  - int npers
      91             :  *
      92             :  *     Size of PERS.
      93             :  *
      94             :  *  - void *guard
      95             :  *
      96             :  *      A value of NULL must be passed for this.
      97             :  *
      98             :  * The variable of flags is independent from the pers/perslen variables. If
      99             :  * flags is set to 0 and perslen is set to 0, the current DRBG type is
     100             :  * completely reset without using a personalization string.
     101             :  *
     102             :  * DRBG Usage
     103             :  * ==========
     104             :  * The SP 800-90A DRBG allows the user to specify a personalization string
     105             :  * for initialization as well as an additional information string for each
     106             :  * random number request.  The following code fragments show how a caller
     107             :  * uses the API to use the full functionality of the DRBG.
     108             :  *
     109             :  * Usage without any additional data
     110             :  * ---------------------------------
     111             :  * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
     112             :  *
     113             :  *
     114             :  * Usage with personalization string during initialization
     115             :  * -------------------------------------------------------
     116             :  * drbg_string_t pers;
     117             :  * char personalization[11] = "some-string";
     118             :  *
     119             :  * drbg_string_fill(&pers, personalization, strlen(personalization));
     120             :  * // The reset completely re-initializes the DRBG with the provided
     121             :  * // personalization string without changing the DRBG type
     122             :  * ret = gcry_control(GCRYCTL_DRBG_REINIT, 0, &pers);
     123             :  * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
     124             :  *
     125             :  *
     126             :  * Usage with additional information string during random number request
     127             :  * ---------------------------------------------------------------------
     128             :  * drbg_string_t addtl;
     129             :  * char addtl_string[11] = "some-string";
     130             :  *
     131             :  * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
     132             :  * // The following call is a wrapper to gcry_randomize() and returns
     133             :  * // the same error codes.
     134             :  * gcry_randomize_drbg(outbuf, OUTLEN, GCRY_STRONG_RANDOM, &addtl);
     135             :  *
     136             :  *
     137             :  * Usage with personalization and additional information strings
     138             :  * -------------------------------------------------------------
     139             :  * Just mix both scenarios above.
     140             :  *
     141             :  *
     142             :  * Switch the DRBG type to some other type
     143             :  * ---------------------------------------
     144             :  * // Switch to CTR DRBG AES-128 without prediction resistance
     145             :  * ret = gcry_control(GCRYCTL_DRBG_REINIT, DRBG_NOPR_CTRAES128, NULL);
     146             :  * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
     147             :  */
     148             : 
     149             : #include <string.h>
     150             : #include <unistd.h>
     151             : #include <stdint.h>
     152             : 
     153             : #include <config.h>
     154             : 
     155             : #include "g10lib.h"
     156             : #include "random.h"
     157             : #include "rand-internal.h"
     158             : #include "../cipher/bithelp.h"
     159             : 
     160             : 
     161             : 
     162             : /******************************************************************
     163             :  * Constants
     164             :  ******************************************************************/
     165             : 
     166             : /*
     167             :  * DRBG flags bitmasks
     168             :  *
     169             :  * 31 (B) 28      19         (A)         0
     170             :  *  +-+-+-+--------+---+-----------+-----+
     171             :  *  |~|~|u|~~~~~~~~| 3 |     2     |  1  |
     172             :  *  +-+-+-+--------+- -+-----------+-----+
     173             :  * ctl flg|        |drbg use selection flags
     174             :  *
     175             :  */
     176             : 
     177             : /* Internal state control flags (B) */
     178             : #define DRBG_PREDICTION_RESIST  ((u32)1<<28)
     179             : 
     180             : /* CTR type modifiers (A.1)*/
     181             : #define DRBG_CTRAES             ((u32)1<<0)
     182             : #define DRBG_CTRSERPENT         ((u32)1<<1)
     183             : #define DRBG_CTRTWOFISH         ((u32)1<<2)
     184             : #define DRBG_CTR_MASK           (DRBG_CTRAES | DRBG_CTRSERPENT \
     185             :                                  | DRBG_CTRTWOFISH)
     186             : 
     187             : /* HASH type modifiers (A.2)*/
     188             : #define DRBG_HASHSHA1           ((u32)1<<4)
     189             : #define DRBG_HASHSHA224         ((u32)1<<5)
     190             : #define DRBG_HASHSHA256         ((u32)1<<6)
     191             : #define DRBG_HASHSHA384         ((u32)1<<7)
     192             : #define DRBG_HASHSHA512         ((u32)1<<8)
     193             : #define DRBG_HASH_MASK          (DRBG_HASHSHA1 | DRBG_HASHSHA224 \
     194             :                                  | DRBG_HASHSHA256 | DRBG_HASHSHA384 \
     195             :                                  | DRBG_HASHSHA512)
     196             : /* type modifiers (A.3)*/
     197             : #define DRBG_HMAC               ((u32)1<<12)
     198             : #define DRBG_SYM128             ((u32)1<<13)
     199             : #define DRBG_SYM192             ((u32)1<<14)
     200             : #define DRBG_SYM256             ((u32)1<<15)
     201             : #define DRBG_TYPE_MASK          (DRBG_HMAC | DRBG_SYM128 | DRBG_SYM192 \
     202             :                                  | DRBG_SYM256)
     203             : #define DRBG_CIPHER_MASK        (DRBG_CTR_MASK | DRBG_HASH_MASK \
     204             :                                  | DRBG_TYPE_MASK)
     205             : 
     206             : #define DRBG_PR_CTRAES128   (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM128)
     207             : #define DRBG_PR_CTRAES192   (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM192)
     208             : #define DRBG_PR_CTRAES256   (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM256)
     209             : #define DRBG_NOPR_CTRAES128 (DRBG_CTRAES | DRBG_SYM128)
     210             : #define DRBG_NOPR_CTRAES192 (DRBG_CTRAES | DRBG_SYM192)
     211             : #define DRBG_NOPR_CTRAES256 (DRBG_CTRAES | DRBG_SYM256)
     212             : #define DRBG_PR_HASHSHA1     (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1)
     213             : #define DRBG_PR_HASHSHA256   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256)
     214             : #define DRBG_PR_HASHSHA384   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA384)
     215             : #define DRBG_PR_HASHSHA512   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512)
     216             : #define DRBG_NOPR_HASHSHA1   (DRBG_HASHSHA1)
     217             : #define DRBG_NOPR_HASHSHA256 (DRBG_HASHSHA256)
     218             : #define DRBG_NOPR_HASHSHA384 (DRBG_HASHSHA384)
     219             : #define DRBG_NOPR_HASHSHA512 (DRBG_HASHSHA512)
     220             : #define DRBG_PR_HMACSHA1     (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1 \
     221             :                               | DRBG_HMAC)
     222             : #define DRBG_PR_HMACSHA256   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256 \
     223             :                               | DRBG_HMAC)
     224             : #define DRBG_PR_HMACSHA384   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA384 \
     225             :                               | DRBG_HMAC)
     226             : #define DRBG_PR_HMACSHA512   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512 \
     227             :                               | DRBG_HMAC)
     228             : #define DRBG_NOPR_HMACSHA1   (DRBG_HASHSHA1 | DRBG_HMAC)
     229             : #define DRBG_NOPR_HMACSHA256 (DRBG_HASHSHA256 | DRBG_HMAC)
     230             : #define DRBG_NOPR_HMACSHA384 (DRBG_HASHSHA384 | DRBG_HMAC)
     231             : #define DRBG_NOPR_HMACSHA512 (DRBG_HASHSHA512 | DRBG_HMAC)
     232             : 
     233             : 
     234             : /* The default DRGB type.  */
     235             : #define DRBG_DEFAULT_TYPE    DRBG_NOPR_HMACSHA256
     236             : 
     237             : 
     238             : 
     239             : /******************************************************************
     240             :  * Common data structures
     241             :  ******************************************************************/
     242             : 
     243             : /*
     244             :  * SP800-90A requires the concatenation of different data. To avoid copying
     245             :  * buffers around or allocate additional memory, the following data structure
     246             :  * is used to point to the original memory with its size. In addition, it
     247             :  * is used to build a linked list. The linked list defines the concatenation
     248             :  * of individual buffers. The order of memory block referenced in that
     249             :  * linked list determines the order of concatenation.
     250             :  */
     251             : struct drbg_string_s
     252             : {
     253             :   const unsigned char *buf;
     254             :   size_t len;
     255             :   struct drbg_string_s *next;
     256             : };
     257             : typedef struct drbg_string_s drbg_string_t;
     258             : 
     259             : 
     260             : /* DRBG input data structure for DRBG generate with additional
     261             :  * information string.  */
     262             : struct drbg_gen_s
     263             : {
     264             :   unsigned char *outbuf;        /* output buffer for random numbers */
     265             :   unsigned int outlen;          /* size of output buffer */
     266             :   drbg_string_t *addtl;         /* input buffer for
     267             :                                  * additional information string */
     268             : };
     269             : typedef struct drbg_gen_s drbg_gen_t;
     270             : 
     271             : 
     272             : /* Forward declaration of the state object pointer.  */
     273             : struct drbg_state_s;
     274             : typedef struct drbg_state_s *drbg_state_t;
     275             : 
     276             : 
     277             : struct drbg_core_s
     278             : {
     279             :   u32 flags;                    /* flags for the cipher */
     280             :   ushort statelen;              /* maximum state length */
     281             :   ushort blocklen_bytes;        /* block size of output in bytes */
     282             :   int backend_cipher;           /* libgcrypt backend cipher */
     283             : };
     284             : 
     285             : struct drbg_state_ops_s
     286             : {
     287             :   gpg_err_code_t (*update) (drbg_state_t drbg,
     288             :                             drbg_string_t *seed, int reseed);
     289             :   gpg_err_code_t (*generate) (drbg_state_t drbg,
     290             :                               unsigned char *buf, unsigned int buflen,
     291             :                               drbg_string_t *addtl);
     292             : };
     293             : 
     294             : struct drbg_test_data_s
     295             : {
     296             :   drbg_string_t *testentropy;   /* TEST PARAMETER: test entropy */
     297             :   int fail_seed_source:1;       /* If set, the seed function will
     298             :                                  * return an error. */
     299             : };
     300             : 
     301             : 
     302             : /* This state object keeps the state of an DRBG instance.  */
     303             : struct drbg_state_s
     304             : {
     305             :   unsigned char *V;             /* internal state 10.1.1.1 1a) */
     306             :   unsigned char *C;             /* hash: static value 10.1.1.1 1b)
     307             :                                  * hmac / ctr: key */
     308             :   size_t reseed_ctr;            /* Number of RNG requests since last reseed --
     309             :                                  * 10.1.1.1 1c) */
     310             :   unsigned char *scratchpad;    /* some memory the DRBG can use for its
     311             :                                  * operation -- allocated during init */
     312             :   int seeded:1;                 /* DRBG fully seeded? */
     313             :   int pr:1;                     /* Prediction resistance enabled? */
     314             :   /* Taken from libgcrypt ANSI X9.31 DRNG: We need to keep track of the
     315             :    * process which did the initialization so that we can detect a fork.
     316             :    * The volatile modifier is required so that the compiler does not
     317             :    * optimize it away in case the getpid function is badly attributed. */
     318             :   pid_t seed_init_pid;
     319             :   const struct drbg_state_ops_s *d_ops;
     320             :   const struct drbg_core_s *core;
     321             :   struct drbg_test_data_s *test_data;
     322             : };
     323             : 
     324             : enum drbg_prefixes
     325             : {
     326             :   DRBG_PREFIX0 = 0x00,
     327             :   DRBG_PREFIX1,
     328             :   DRBG_PREFIX2,
     329             :   DRBG_PREFIX3
     330             : };
     331             : 
     332             : #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
     333             : 
     334             : /***************************************************************
     335             :  * Global variables
     336             :  ***************************************************************/
     337             : 
     338             : /* Global state variable holding the current instance of the DRBG.  */
     339             : static drbg_state_t drbg_state;
     340             : 
     341             : /* This is the lock variable we use to serialize access to this RNG. */
     342             : GPGRT_LOCK_DEFINE(drbg_lock_var);
     343             : 
     344             : 
     345             : /***************************************************************
     346             :  * Backend cipher definitions available to DRBG
     347             :  ***************************************************************/
     348             : 
     349             : static const struct drbg_core_s drbg_cores[] = {
     350             :   /* Hash DRBGs */
     351             :   {DRBG_HASHSHA1, 55, 20, GCRY_MD_SHA1},
     352             :   {DRBG_HASHSHA256, 55, 32, GCRY_MD_SHA256},
     353             :   {DRBG_HASHSHA384, 111, 48, GCRY_MD_SHA384},
     354             :   {DRBG_HASHSHA512, 111, 64, GCRY_MD_SHA512},
     355             :   /* HMAC DRBGs */
     356             :   {DRBG_HASHSHA1   | DRBG_HMAC, 20, 20, GCRY_MD_SHA1},
     357             :   {DRBG_HASHSHA256 | DRBG_HMAC, 32, 32, GCRY_MD_SHA256},
     358             :   {DRBG_HASHSHA384 | DRBG_HMAC, 48, 48, GCRY_MD_SHA384},
     359             :   {DRBG_HASHSHA512 | DRBG_HMAC, 64, 64, GCRY_MD_SHA512},
     360             :   /* block ciphers */
     361             :   {DRBG_CTRAES | DRBG_SYM128, 32, 16, GCRY_CIPHER_AES128},
     362             :   {DRBG_CTRAES | DRBG_SYM192, 40, 16, GCRY_CIPHER_AES192},
     363             :   {DRBG_CTRAES | DRBG_SYM256, 48, 16, GCRY_CIPHER_AES256}
     364             : };
     365             : 
     366             : static gpg_err_code_t drbg_sym (drbg_state_t drbg,
     367             :                                 const unsigned char *key,
     368             :                                 unsigned char *outval,
     369             :                                 const drbg_string_t *buf);
     370             : static gpg_err_code_t drbg_hmac (drbg_state_t drbg,
     371             :                                  const unsigned char *key,
     372             :                                  unsigned char *outval,
     373             :                                  const drbg_string_t *buf);
     374             : 
     375             : /******************************************************************
     376             :  ******************************************************************
     377             :  ******************************************************************
     378             :  * Generic DRBG code
     379             :  ******************************************************************
     380             :  ******************************************************************
     381             :  ******************************************************************/
     382             : 
     383             : /******************************************************************
     384             :  * Generic helper functions
     385             :  ******************************************************************/
     386             : 
     387             : #if 0
     388             : #define dbg(x) do { log_debug x; } while(0)
     389             : #else
     390             : #define dbg(x)
     391             : #endif
     392             : 
     393             : /*
     394             :  * Parse a string of flags and store the flag values at R_FLAGS.
     395             :  * Return 0 on success.
     396             :  */
     397             : static gpg_err_code_t
     398           0 : parse_flag_string (const char *string, u32 *r_flags)
     399             : {
     400             :   struct {
     401             :     const char *name;
     402             :     u32 flag;
     403           0 :   } table[] = {
     404             :     { "aes",     DRBG_CTRAES            },
     405             :     { "serpent", DRBG_CTRSERPENT        },
     406             :     { "twofish", DRBG_CTRTWOFISH        },
     407             :     { "sha1",    DRBG_HASHSHA1          },
     408             :     { "sha256",  DRBG_HASHSHA256        },
     409             :     { "sha512",  DRBG_HASHSHA512        },
     410             :     { "hmac",    DRBG_HMAC              },
     411             :     { "sym128",  DRBG_SYM128            },
     412             :     { "sym192",  DRBG_SYM192            },
     413             :     { "sym256",  DRBG_SYM256            },
     414             :     { "pr",      DRBG_PREDICTION_RESIST }
     415             :   };
     416             : 
     417           0 :   *r_flags = 0;
     418           0 :   if (string)
     419             :     {
     420             :       char **tl;
     421             :       const char *s;
     422             :       int i, j;
     423             : 
     424           0 :       tl = _gcry_strtokenize (string, NULL);
     425           0 :       if (!tl)
     426           0 :         return gpg_err_code_from_syserror ();
     427           0 :       for (i=0; (s=tl[i]); i++)
     428             :         {
     429           0 :           for (j=0; j < DIM (table); j++)
     430           0 :             if (!strcmp (s, table[j].name))
     431             :               {
     432           0 :                 *r_flags |= table[j].flag;
     433           0 :                 break;
     434             :               }
     435           0 :           if (!(j < DIM (table)))
     436             :             {
     437           0 :               xfree (tl);
     438           0 :               return GPG_ERR_INV_FLAG;
     439             :             }
     440             :         }
     441           0 :       xfree (tl);
     442             :     }
     443             : 
     444           0 :   return 0;
     445             : }
     446             : 
     447             : static inline void
     448          32 : drbg_string_fill (drbg_string_t *string,
     449             :                        const unsigned char *buf, size_t len)
     450             : {
     451          32 :   string->buf = buf;
     452          32 :   string->len = len;
     453          32 :   string->next = NULL;
     454          32 : }
     455             : 
     456             : static inline ushort
     457          54 : drbg_statelen (drbg_state_t drbg)
     458             : {
     459          54 :   if (drbg && drbg->core)
     460          54 :     return drbg->core->statelen;
     461           0 :   return 0;
     462             : }
     463             : 
     464             : static inline ushort
     465          32 : drbg_blocklen (drbg_state_t drbg)
     466             : {
     467          32 :   if (drbg && drbg->core)
     468          32 :     return drbg->core->blocklen_bytes;
     469           0 :   return 0;
     470             : }
     471             : 
     472             : static inline ushort
     473           0 : drbg_keylen (drbg_state_t drbg)
     474             : {
     475           0 :   if (drbg && drbg->core)
     476           0 :     return (drbg->core->statelen - drbg->core->blocklen_bytes);
     477           0 :   return 0;
     478             : }
     479             : 
     480             : static inline size_t
     481          12 : drbg_max_request_bytes (void)
     482             : {
     483             :   /* SP800-90A requires the limit 2**19 bits, but we return bytes */
     484          12 :   return (1 << 16);
     485             : }
     486             : 
     487             : static inline size_t
     488           0 : drbg_max_addtl (void)
     489             : {
     490             :   /* SP800-90A requires 2**35 bytes additional info str / pers str */
     491             : #ifdef __LP64__
     492           0 :   return (1UL << 35);
     493             : #else
     494             :   /*
     495             :    * SP800-90A allows smaller maximum numbers to be returned -- we
     496             :    * return SIZE_MAX - 1 to allow the verification of the enforcement
     497             :    * of this value in drbg_healthcheck_sanity.
     498             :    */
     499             :   return (SIZE_MAX - 1);
     500             : #endif
     501             : }
     502             : 
     503             : static inline size_t
     504           6 : drbg_max_requests (void)
     505             : {
     506             :   /* SP800-90A requires 2**48 maximum requests before reseeding */
     507             : #ifdef __LP64__
     508           6 :   return (1UL << 48);
     509             : #else
     510             :   return SIZE_MAX;
     511             : #endif
     512             : }
     513             : 
     514             : /*
     515             :  * Return strength of DRBG according to SP800-90A section 8.4
     516             :  *
     517             :  * flags: DRBG flags reference
     518             :  *
     519             :  * Return: normalized strength value or 32 as a default to counter
     520             :  *         programming errors
     521             :  */
     522             : static inline unsigned short
     523           2 : drbg_sec_strength (u32 flags)
     524             : {
     525           2 :   if ((flags & DRBG_HASHSHA1) || (flags & DRBG_SYM128))
     526           0 :     return 16;
     527           2 :   else if (flags & DRBG_SYM192)
     528           0 :     return 24;
     529           2 :   else if ((flags & DRBG_SYM256) || (flags & DRBG_HASHSHA256) ||
     530           0 :            (flags & DRBG_HASHSHA384) || (flags & DRBG_HASHSHA512))
     531           2 :     return 32;
     532             :   else
     533           0 :     return 32;
     534             : }
     535             : 
     536             : /*
     537             :  * Convert an integer into a byte representation of this integer.
     538             :  * The byte representation is big-endian
     539             :  *
     540             :  * @val value to be converted
     541             :  * @buf buffer holding the converted integer -- caller must ensure that
     542             :  *      buffer size is at least 32 bit
     543             :  */
     544             : static inline void
     545           0 : drbg_cpu_to_be32 (u32 val, unsigned char *buf)
     546             : {
     547             :   /* FIXME: This may raise a bus error.  */
     548             :   struct s
     549             :   {
     550             :     u32 conv;
     551             :   };
     552           0 :   struct s *conversion = (struct s *) buf;
     553             : 
     554           0 :   conversion->conv = be_bswap32 (val);
     555           0 : }
     556             : 
     557             : static void
     558           0 : drbg_add_buf (unsigned char *dst, size_t dstlen,
     559             :               unsigned char *add, size_t addlen)
     560             : {
     561             :   /* implied: dstlen > addlen */
     562             :   unsigned char *dstptr, *addptr;
     563           0 :   unsigned int remainder = 0;
     564           0 :   size_t len = addlen;
     565             : 
     566           0 :   dstptr = dst + (dstlen - 1);
     567           0 :   addptr = add + (addlen - 1);
     568           0 :   while (len)
     569             :     {
     570           0 :       remainder += *dstptr + *addptr;
     571           0 :       *dstptr = remainder & 0xff;
     572           0 :       remainder >>= 8;
     573           0 :       len--;
     574           0 :       dstptr--;
     575           0 :       addptr--;
     576             :     }
     577           0 :   len = dstlen - addlen;
     578           0 :   while (len && remainder > 0)
     579             :     {
     580           0 :       remainder = *dstptr + 1;
     581           0 :       *dstptr = remainder & 0xff;
     582           0 :       remainder >>= 8;
     583           0 :       len--;
     584           0 :       dstptr--;
     585             :     }
     586           0 : }
     587             : 
     588             : /* Helper variables for read_cb().
     589             :  *
     590             :  *   The _gcry_rnd*_gather_random interface does not allow to provide a
     591             :  *   data pointer.  Thus we need to use a global variable for
     592             :  *   communication.  However, the then required locking is anyway a good
     593             :  *   idea because it does not make sense to have several readers of (say
     594             :  *   /dev/random).  It is easier to serve them one after the other.
     595             :  */
     596             : static unsigned char *read_cb_buffer;   /* The buffer.  */
     597             : static size_t read_cb_size;             /* Size of the buffer.  */
     598             : static size_t read_cb_len;              /* Used length.  */
     599             : 
     600             : /* Callback for generating seed from kernel device. */
     601             : static void
     602          16 : drbg_read_cb (const void *buffer, size_t length,
     603             :               enum random_origins origin)
     604             : {
     605          16 :   const unsigned char *p = buffer;
     606             : 
     607             :   (void) origin;
     608          16 :   gcry_assert (read_cb_buffer);
     609             : 
     610             :   /* Note that we need to protect against gatherers returning more
     611             :    * than the requested bytes (e.g. rndw32).  */
     612         128 :   while (length-- && read_cb_len < read_cb_size)
     613          96 :     read_cb_buffer[read_cb_len++] = *p++;
     614          16 : }
     615             : 
     616             : static inline int
     617           2 : drbg_get_entropy (drbg_state_t drbg, unsigned char *buffer,
     618             :                        size_t len)
     619             : {
     620           2 :   int rc = 0;
     621             : 
     622             :   /* Perform testing as defined in 11.3.2 */
     623           2 :   if (drbg->test_data && drbg->test_data->fail_seed_source)
     624           0 :     return -1;
     625             : 
     626           2 :   read_cb_buffer = buffer;
     627           2 :   read_cb_size = len;
     628           2 :   read_cb_len = 0;
     629             : #if USE_RNDLINUX
     630           2 :   rc = _gcry_rndlinux_gather_random (drbg_read_cb, 0, len,
     631             :                                      GCRY_VERY_STRONG_RANDOM);
     632             : #elif USE_RNDUNIX
     633             :   rc = _gcry_rndunix_gather_random (drbg_read_cb, 0, len,
     634             :                                     GCRY_VERY_STRONG_RANDOM);
     635             : #elif USE_RNDW32
     636             :   do
     637             :     {
     638             :       rc = _gcry_rndw32_gather_random (drbg_read_cb, 0, len,
     639             :                                        GCRY_VERY_STRONG_RANDOM);
     640             :     }
     641             :   while (rc >= 0 && read_cb_len < read_cb_size);
     642             : #else
     643             :   rc = -1;
     644             : #endif
     645           2 :   return rc;
     646             : }
     647             : 
     648             : /******************************************************************
     649             :  * CTR DRBG callback functions
     650             :  ******************************************************************/
     651             : 
     652             : /* BCC function for CTR DRBG as defined in 10.4.3 */
     653             : static gpg_err_code_t
     654           0 : drbg_ctr_bcc (drbg_state_t drbg,
     655             :               unsigned char *out, const unsigned char *key,
     656             :               drbg_string_t *in)
     657             : {
     658           0 :   gpg_err_code_t ret = GPG_ERR_GENERAL;
     659           0 :   drbg_string_t *curr = in;
     660           0 :   size_t inpos = curr->len;
     661           0 :   const unsigned char *pos = curr->buf;
     662             :   drbg_string_t data;
     663             : 
     664           0 :   drbg_string_fill (&data, out, drbg_blocklen (drbg));
     665             : 
     666             :   /* 10.4.3 step 1 */
     667           0 :   memset (out, 0, drbg_blocklen (drbg));
     668             : 
     669             :   /* 10.4.3 step 2 / 4 */
     670           0 :   while (inpos)
     671             :     {
     672           0 :       short cnt = 0;
     673             :       /* 10.4.3 step 4.1 */
     674           0 :       for (cnt = 0; cnt < drbg_blocklen (drbg); cnt++)
     675             :         {
     676           0 :           out[cnt] ^= *pos;
     677           0 :           pos++;
     678           0 :           inpos--;
     679             :           /* the following branch implements the linked list
     680             :            * iteration. If we are at the end of the current data
     681             :            * set, we have to start using the next data set if
     682             :            * available -- the inpos value always points to the
     683             :            * current byte and will be zero if we have processed
     684             :            * the last byte of the last linked list member */
     685           0 :           if (0 == inpos)
     686             :             {
     687           0 :               curr = curr->next;
     688           0 :               if (NULL != curr)
     689             :                 {
     690           0 :                   pos = curr->buf;
     691           0 :                   inpos = curr->len;
     692             :                 }
     693             :               else
     694             :                 {
     695           0 :                   inpos = 0;
     696           0 :                   break;
     697             :                 }
     698             :             }
     699             :         }
     700             :       /* 10.4.3 step 4.2 */
     701           0 :       ret = drbg_sym (drbg, key, out, &data);
     702           0 :       if (ret)
     703           0 :         return ret;
     704             :       /* 10.4.3 step 2 */
     705             :     }
     706           0 :   return 0;
     707             : }
     708             : 
     709             : 
     710             : /*
     711             :  * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
     712             :  * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
     713             :  * the scratchpad is used as follows:
     714             :  * drbg_ctr_update:
     715             :  *      temp
     716             :  *              start: drbg->scratchpad
     717             :  *              length: drbg_statelen(drbg) + drbg_blocklen(drbg)
     718             :  *                      note: the cipher writing into this variable works
     719             :  *                      blocklen-wise. Now, when the statelen is not a multiple
     720             :  *                      of blocklen, the generateion loop below "spills over"
     721             :  *                      by at most blocklen. Thus, we need to give sufficient
     722             :  *                      memory.
     723             :  *      df_data
     724             :  *              start: drbg->scratchpad +
     725             :  *                              drbg_statelen(drbg) +
     726             :  *                              drbg_blocklen(drbg)
     727             :  *              length: drbg_statelen(drbg)
     728             :  *
     729             :  * drbg_ctr_df:
     730             :  *      pad
     731             :  *              start: df_data + drbg_statelen(drbg)
     732             :  *              length: drbg_blocklen(drbg)
     733             :  *      iv
     734             :  *              start: pad + drbg_blocklen(drbg)
     735             :  *              length: drbg_blocklen(drbg)
     736             :  *      temp
     737             :  *              start: iv + drbg_blocklen(drbg)
     738             :  *              length: drbg_satelen(drbg) + drbg_blocklen(drbg)
     739             :  *                      note: temp is the buffer that the BCC function operates
     740             :  *                      on. BCC operates blockwise. drbg_statelen(drbg)
     741             :  *                      is sufficient when the DRBG state length is a multiple
     742             :  *                      of the block size. For AES192 (and maybe other ciphers)
     743             :  *                      this is not correct and the length for temp is
     744             :  *                      insufficient (yes, that also means for such ciphers,
     745             :  *                      the final output of all BCC rounds are truncated).
     746             :  *                      Therefore, add drbg_blocklen(drbg) to cover all
     747             :  *                      possibilities.
     748             :  */
     749             : 
     750             : /* Derivation Function for CTR DRBG as defined in 10.4.2 */
     751             : static gpg_err_code_t
     752           0 : drbg_ctr_df (drbg_state_t drbg, unsigned char *df_data,
     753             :              size_t bytes_to_return, drbg_string_t *addtl)
     754             : {
     755           0 :   gpg_err_code_t ret = GPG_ERR_GENERAL;
     756             :   unsigned char L_N[8];
     757             :   /* S3 is input */
     758             :   drbg_string_t S1, S2, S4, cipherin;
     759           0 :   drbg_string_t *tempstr = addtl;
     760           0 :   unsigned char *pad = df_data + drbg_statelen (drbg);
     761           0 :   unsigned char *iv = pad + drbg_blocklen (drbg);
     762           0 :   unsigned char *temp = iv + drbg_blocklen (drbg);
     763           0 :   size_t padlen = 0;
     764           0 :   unsigned int templen = 0;
     765             :   /* 10.4.2 step 7 */
     766           0 :   unsigned int i = 0;
     767             :   /* 10.4.2 step 8 */
     768           0 :   const unsigned char *K = (unsigned char *)
     769             :     "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
     770             :     "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
     771             :   unsigned char *X;
     772           0 :   size_t generated_len = 0;
     773           0 :   size_t inputlen = 0;
     774             : 
     775           0 :   memset (pad, 0, drbg_blocklen (drbg));
     776           0 :   memset (iv, 0, drbg_blocklen (drbg));
     777           0 :   memset (temp, 0, drbg_statelen (drbg));
     778             : 
     779             :   /* 10.4.2 step 1 is implicit as we work byte-wise */
     780             : 
     781             :   /* 10.4.2 step 2 */
     782           0 :   if ((512 / 8) < bytes_to_return)
     783           0 :     return GPG_ERR_INV_ARG;
     784             : 
     785             :   /* 10.4.2 step 2 -- calculate the entire length of all input data */
     786           0 :   for (; NULL != tempstr; tempstr = tempstr->next)
     787           0 :     inputlen += tempstr->len;
     788           0 :   drbg_cpu_to_be32 (inputlen, &L_N[0]);
     789             : 
     790             :   /* 10.4.2 step 3 */
     791           0 :   drbg_cpu_to_be32 (bytes_to_return, &L_N[4]);
     792             : 
     793             :   /* 10.4.2 step 5: length is size of L_N, input_string, one byte, padding */
     794           0 :   padlen = (inputlen + sizeof (L_N) + 1) % (drbg_blocklen (drbg));
     795             :   /* wrap the padlen appropriately */
     796           0 :   if (padlen)
     797           0 :     padlen = drbg_blocklen (drbg) - padlen;
     798             :   /* pad / padlen contains the 0x80 byte and the following zero bytes, so
     799             :    * add one for byte for 0x80 */
     800           0 :   padlen++;
     801           0 :   pad[0] = 0x80;
     802             : 
     803             :   /* 10.4.2 step 4 -- first fill the linked list and then order it */
     804           0 :   drbg_string_fill (&S1, iv, drbg_blocklen (drbg));
     805           0 :   drbg_string_fill (&S2, L_N, sizeof (L_N));
     806           0 :   drbg_string_fill (&S4, pad, padlen);
     807           0 :   S1.next = &S2;
     808           0 :   S2.next = addtl;
     809             : 
     810             :   /* Splice in addtl between S2 and S4 -- we place S4 at the end of the
     811             :    * input data chain. As this code is only triggered when addtl is not
     812             :    * NULL, no NULL checks are necessary.*/
     813           0 :   tempstr = addtl;
     814           0 :   while (tempstr->next)
     815           0 :     tempstr = tempstr->next;
     816           0 :   tempstr->next = &S4;
     817             : 
     818             :   /* 10.4.2 step 9 */
     819           0 :   while (templen < (drbg_keylen (drbg) + (drbg_blocklen (drbg))))
     820             :     {
     821             :       /* 10.4.2 step 9.1 - the padding is implicit as the buffer
     822             :        * holds zeros after allocation -- even the increment of i
     823             :        * is irrelevant as the increment remains within length of i */
     824           0 :       drbg_cpu_to_be32 (i, iv);
     825             :       /* 10.4.2 step 9.2 -- BCC and concatenation with temp */
     826           0 :       ret = drbg_ctr_bcc (drbg, temp + templen, K, &S1);
     827           0 :       if (ret)
     828           0 :         goto out;
     829             :       /* 10.4.2 step 9.3 */
     830           0 :       i++;
     831           0 :       templen += drbg_blocklen (drbg);
     832             :     }
     833             : 
     834             :   /* 10.4.2 step 11 */
     835             :   /* implicit key len with seedlen - blocklen according to table 3 */
     836           0 :   X = temp + (drbg_keylen (drbg));
     837           0 :   drbg_string_fill (&cipherin, X, drbg_blocklen (drbg));
     838             : 
     839             :   /* 10.4.2 step 12: overwriting of outval */
     840             : 
     841             :   /* 10.4.2 step 13 */
     842           0 :   while (generated_len < bytes_to_return)
     843             :     {
     844           0 :       short blocklen = 0;
     845             :       /* 10.4.2 step 13.1 */
     846             :       /* the truncation of the key length is implicit as the key
     847             :        * is only drbg_blocklen in size -- check for the implementation
     848             :        * of the cipher function callback */
     849           0 :       ret = drbg_sym (drbg, temp, X, &cipherin);
     850           0 :       if (ret)
     851           0 :         goto out;
     852           0 :       blocklen = (drbg_blocklen (drbg) <
     853           0 :                   (bytes_to_return - generated_len)) ?
     854           0 :         drbg_blocklen (drbg) : (bytes_to_return - generated_len);
     855             :       /* 10.4.2 step 13.2 and 14 */
     856           0 :       memcpy (df_data + generated_len, X, blocklen);
     857           0 :       generated_len += blocklen;
     858             :     }
     859             : 
     860           0 :   ret = 0;
     861             : 
     862             :  out:
     863           0 :   memset (iv, 0, drbg_blocklen (drbg));
     864           0 :   memset (temp, 0, drbg_statelen (drbg));
     865           0 :   memset (pad, 0, drbg_blocklen (drbg));
     866           0 :   return ret;
     867             : }
     868             : 
     869             : /*
     870             :  * Update function of CTR DRBG as defined in 10.2.1.2
     871             :  *
     872             :  * The reseed variable has an enhanced meaning compared to the update
     873             :  * functions of the other DRBGs as follows:
     874             :  * 0 => initial seed from initialization
     875             :  * 1 => reseed via drbg_seed
     876             :  * 2 => first invocation from drbg_ctr_update when addtl is present. In
     877             :  *      this case, the df_data scratchpad is not deleted so that it is
     878             :  *      available for another calls to prevent calling the DF function
     879             :  *      again.
     880             :  * 3 => second invocation from drbg_ctr_update. When the update function
     881             :  *      was called with addtl, the df_data memory already contains the
     882             :  *      DFed addtl information and we do not need to call DF again.
     883             :  */
     884             : static gpg_err_code_t
     885           0 : drbg_ctr_update (drbg_state_t drbg, drbg_string_t *addtl, int reseed)
     886             : {
     887           0 :   gpg_err_code_t ret = GPG_ERR_GENERAL;
     888             :   /* 10.2.1.2 step 1 */
     889           0 :   unsigned char *temp = drbg->scratchpad;
     890           0 :   unsigned char *df_data = drbg->scratchpad +
     891           0 :     drbg_statelen (drbg) + drbg_blocklen (drbg);
     892             :   unsigned char *temp_p, *df_data_p;    /* pointer to iterate over buffers */
     893           0 :   unsigned int len = 0;
     894             :   drbg_string_t cipherin;
     895           0 :   unsigned char prefix = DRBG_PREFIX1;
     896             : 
     897           0 :   memset (temp, 0, drbg_statelen (drbg) + drbg_blocklen (drbg));
     898           0 :   if (3 > reseed)
     899           0 :     memset (df_data, 0, drbg_statelen (drbg));
     900             : 
     901             :   /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
     902             :   /* TODO use reseed variable to avoid re-doing DF operation */
     903             :   (void) reseed;
     904           0 :   if (addtl && 0 < addtl->len)
     905             :     {
     906           0 :       ret =
     907           0 :         drbg_ctr_df (drbg, df_data, drbg_statelen (drbg), addtl);
     908           0 :       if (ret)
     909           0 :         goto out;
     910             :     }
     911             : 
     912           0 :   drbg_string_fill (&cipherin, drbg->V, drbg_blocklen (drbg));
     913             :   /* 10.2.1.3.2 step 2 and 3 -- are already covered as we memset(0)
     914             :    * all memory during initialization */
     915           0 :   while (len < (drbg_statelen (drbg)))
     916             :     {
     917             :       /* 10.2.1.2 step 2.1 */
     918           0 :       drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
     919             :       /* 10.2.1.2 step 2.2 */
     920             :       /* using target of temp + len: 10.2.1.2 step 2.3 and 3 */
     921           0 :       ret = drbg_sym (drbg, drbg->C, temp + len, &cipherin);
     922           0 :       if (ret)
     923           0 :         goto out;
     924             :       /* 10.2.1.2 step 2.3 and 3 */
     925           0 :       len += drbg_blocklen (drbg);
     926             :     }
     927             : 
     928             :   /* 10.2.1.2 step 4 */
     929           0 :   temp_p = temp;
     930           0 :   df_data_p = df_data;
     931           0 :   for (len = 0; len < drbg_statelen (drbg); len++)
     932             :     {
     933           0 :       *temp_p ^= *df_data_p;
     934           0 :       df_data_p++;
     935           0 :       temp_p++;
     936             :     }
     937             : 
     938             :   /* 10.2.1.2 step 5 */
     939           0 :   memcpy (drbg->C, temp, drbg_keylen (drbg));
     940             :   /* 10.2.1.2 step 6 */
     941           0 :   memcpy (drbg->V, temp + drbg_keylen (drbg), drbg_blocklen (drbg));
     942           0 :   ret = 0;
     943             : 
     944             :  out:
     945           0 :   memset (temp, 0, drbg_statelen (drbg) + drbg_blocklen (drbg));
     946           0 :   if (2 != reseed)
     947           0 :     memset (df_data, 0, drbg_statelen (drbg));
     948           0 :   return ret;
     949             : }
     950             : 
     951             : /*
     952             :  * scratchpad use: drbg_ctr_update is called independently from
     953             :  * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
     954             :  */
     955             : /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
     956             : static gpg_err_code_t
     957           0 : drbg_ctr_generate (drbg_state_t drbg,
     958             :                    unsigned char *buf, unsigned int buflen,
     959             :                    drbg_string_t *addtl)
     960             : {
     961           0 :   gpg_err_code_t ret = 0;
     962           0 :   unsigned int len = 0;
     963             :   drbg_string_t data;
     964           0 :   unsigned char prefix = DRBG_PREFIX1;
     965             : 
     966           0 :   memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
     967             : 
     968             :   /* 10.2.1.5.2 step 2 */
     969           0 :   if (addtl && 0 < addtl->len)
     970             :     {
     971           0 :       addtl->next = NULL;
     972           0 :       ret = drbg_ctr_update (drbg, addtl, 2);
     973           0 :       if (ret)
     974           0 :         return ret;
     975             :     }
     976             : 
     977             :   /* 10.2.1.5.2 step 4.1 */
     978           0 :   drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
     979           0 :   drbg_string_fill (&data, drbg->V, drbg_blocklen (drbg));
     980           0 :   while (len < buflen)
     981             :     {
     982           0 :       unsigned int outlen = 0;
     983             :       /* 10.2.1.5.2 step 4.2 */
     984           0 :       ret = drbg_sym (drbg, drbg->C, drbg->scratchpad, &data);
     985           0 :       if (ret)
     986           0 :         goto out;
     987           0 :       outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
     988           0 :         drbg_blocklen (drbg) : (buflen - len);
     989             :       /* 10.2.1.5.2 step 4.3 */
     990           0 :       memcpy (buf + len, drbg->scratchpad, outlen);
     991           0 :       len += outlen;
     992             :       /* 10.2.1.5.2 step 6 */
     993           0 :       if (len < buflen)
     994           0 :         drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
     995             :     }
     996             : 
     997             :   /* 10.2.1.5.2 step 6 */
     998           0 :   if (addtl)
     999           0 :     addtl->next = NULL;
    1000           0 :   ret = drbg_ctr_update (drbg, addtl, 3);
    1001             : 
    1002             :  out:
    1003           0 :   memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
    1004           0 :   return ret;
    1005             : }
    1006             : 
    1007             : static struct drbg_state_ops_s drbg_ctr_ops = {
    1008             :   drbg_ctr_update,
    1009             :   drbg_ctr_generate
    1010             : };
    1011             : 
    1012             : /******************************************************************
    1013             :  * HMAC DRBG callback functions
    1014             :  ******************************************************************/
    1015             : 
    1016             : static gpg_err_code_t
    1017           8 : drbg_hmac_update (drbg_state_t drbg, drbg_string_t *seed, int reseed)
    1018             : {
    1019           8 :   gpg_err_code_t ret = GPG_ERR_GENERAL;
    1020           8 :   int i = 0;
    1021             :   drbg_string_t seed1, seed2, cipherin;
    1022             : 
    1023           8 :   if (!reseed)
    1024             :     {
    1025             :       /* 10.1.2.3 step 2 already implicitly covered with
    1026             :        * the initial memset(0) of drbg->C */
    1027           2 :       memset (drbg->V, 1, drbg_statelen (drbg));
    1028             :     }
    1029             : 
    1030             :   /* build linked list which implements the concatenation and fill
    1031             :    * first part*/
    1032           8 :   drbg_string_fill (&seed1, drbg->V, drbg_statelen (drbg));
    1033             :   /* buffer will be filled in for loop below with one byte */
    1034           8 :   drbg_string_fill (&seed2, NULL, 1);
    1035           8 :   seed1.next = &seed2;
    1036             :   /* seed may be NULL */
    1037           8 :   seed2.next = seed;
    1038             : 
    1039           8 :   drbg_string_fill (&cipherin, drbg->V, drbg_statelen (drbg));
    1040             :   /* we execute two rounds of V/K massaging */
    1041          24 :   for (i = 2; 0 < i; i--)
    1042             :     {
    1043             :       /* first round uses 0x0, second 0x1 */
    1044          10 :       unsigned char prefix = DRBG_PREFIX0;
    1045          10 :       if (1 == i)
    1046           2 :         prefix = DRBG_PREFIX1;
    1047             :       /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
    1048          10 :       seed2.buf = &prefix;
    1049          10 :       ret = drbg_hmac (drbg, drbg->C, drbg->C, &seed1);
    1050          10 :       if (ret)
    1051           6 :         return ret;
    1052             : 
    1053             :       /* 10.1.2.2 step 2 and 5 -- HMAC for V */
    1054          10 :       ret = drbg_hmac (drbg, drbg->C, drbg->V, &cipherin);
    1055          10 :       if (ret)
    1056           0 :         return ret;
    1057             : 
    1058             :       /* 10.1.2.2 step 3 */
    1059          10 :       if (!seed || 0 == seed->len)
    1060           6 :         return ret;
    1061             :     }
    1062           2 :   return 0;
    1063             : }
    1064             : 
    1065             : /* generate function of HMAC DRBG as defined in 10.1.2.5 */
    1066             : static gpg_err_code_t
    1067           6 : drbg_hmac_generate (drbg_state_t drbg, unsigned char *buf, unsigned int buflen,
    1068             :                     drbg_string_t *addtl)
    1069             : {
    1070           6 :   gpg_err_code_t ret = 0;
    1071           6 :   unsigned int len = 0;
    1072             :   drbg_string_t data;
    1073             : 
    1074             :   /* 10.1.2.5 step 2 */
    1075           6 :   if (addtl && 0 < addtl->len)
    1076             :     {
    1077           0 :       addtl->next = NULL;
    1078           0 :       ret = drbg_hmac_update (drbg, addtl, 1);
    1079           0 :       if (ret)
    1080           0 :         return ret;
    1081             :     }
    1082             : 
    1083           6 :   drbg_string_fill (&data, drbg->V, drbg_statelen (drbg));
    1084          18 :   while (len < buflen)
    1085             :     {
    1086           6 :       unsigned int outlen = 0;
    1087             :       /* 10.1.2.5 step 4.1 */
    1088           6 :       ret = drbg_hmac (drbg, drbg->C, drbg->V, &data);
    1089           6 :       if (ret)
    1090           0 :         return ret;
    1091          12 :       outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
    1092           6 :         drbg_blocklen (drbg) : (buflen - len);
    1093             : 
    1094             :       /* 10.1.2.5 step 4.2 */
    1095           6 :       memcpy (buf + len, drbg->V, outlen);
    1096           6 :       len += outlen;
    1097             :     }
    1098             : 
    1099             :   /* 10.1.2.5 step 6 */
    1100           6 :   if (addtl)
    1101           0 :     addtl->next = NULL;
    1102           6 :   ret = drbg_hmac_update (drbg, addtl, 1);
    1103             : 
    1104           6 :   return ret;
    1105             : }
    1106             : 
    1107             : static struct drbg_state_ops_s drbg_hmac_ops = {
    1108             :   drbg_hmac_update,
    1109             :   drbg_hmac_generate
    1110             : };
    1111             : 
    1112             : /******************************************************************
    1113             :  * Hash DRBG callback functions
    1114             :  ******************************************************************/
    1115             : 
    1116             : /*
    1117             :  * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
    1118             :  * interlinked, the scratchpad is used as follows:
    1119             :  * drbg_hash_update
    1120             :  *      start: drbg->scratchpad
    1121             :  *      length: drbg_statelen(drbg)
    1122             :  * drbg_hash_df:
    1123             :  *      start: drbg->scratchpad + drbg_statelen(drbg)
    1124             :  *      length: drbg_blocklen(drbg)
    1125             :  */
    1126             : /* Derivation Function for Hash DRBG as defined in 10.4.1 */
    1127             : static gpg_err_code_t
    1128           0 : drbg_hash_df (drbg_state_t drbg,
    1129             :               unsigned char *outval, size_t outlen,
    1130             :               drbg_string_t *entropy)
    1131             : {
    1132           0 :   gpg_err_code_t ret = 0;
    1133           0 :   size_t len = 0;
    1134             :   unsigned char input[5];
    1135           0 :   unsigned char *tmp = drbg->scratchpad + drbg_statelen (drbg);
    1136             :   drbg_string_t data1;
    1137             : 
    1138           0 :   memset (tmp, 0, drbg_blocklen (drbg));
    1139             : 
    1140             :   /* 10.4.1 step 3 */
    1141           0 :   input[0] = 1;
    1142           0 :   drbg_cpu_to_be32 ((outlen * 8), &input[1]);
    1143             : 
    1144             :   /* 10.4.1 step 4.1 -- concatenation of data for input into hash */
    1145           0 :   drbg_string_fill (&data1, input, 5);
    1146           0 :   data1.next = entropy;
    1147             : 
    1148             :   /* 10.4.1 step 4 */
    1149           0 :   while (len < outlen)
    1150             :     {
    1151           0 :       short blocklen = 0;
    1152             :       /* 10.4.1 step 4.1 */
    1153           0 :       ret = drbg_hmac (drbg, NULL, tmp, &data1);
    1154           0 :       if (ret)
    1155           0 :         goto out;
    1156             :       /* 10.4.1 step 4.2 */
    1157           0 :       input[0]++;
    1158           0 :       blocklen = (drbg_blocklen (drbg) < (outlen - len)) ?
    1159           0 :         drbg_blocklen (drbg) : (outlen - len);
    1160           0 :       memcpy (outval + len, tmp, blocklen);
    1161           0 :       len += blocklen;
    1162             :     }
    1163             : 
    1164             :  out:
    1165           0 :   memset (tmp, 0, drbg_blocklen (drbg));
    1166           0 :   return ret;
    1167             : }
    1168             : 
    1169             : /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
    1170             : static gpg_err_code_t
    1171           0 : drbg_hash_update (drbg_state_t drbg, drbg_string_t *seed, int reseed)
    1172             : {
    1173           0 :   gpg_err_code_t ret = 0;
    1174             :   drbg_string_t data1, data2;
    1175           0 :   unsigned char *V = drbg->scratchpad;
    1176           0 :   unsigned char prefix = DRBG_PREFIX1;
    1177             : 
    1178           0 :   memset (drbg->scratchpad, 0, drbg_statelen (drbg));
    1179           0 :   if (!seed)
    1180           0 :     return GPG_ERR_INV_ARG;
    1181             : 
    1182           0 :   if (reseed)
    1183             :     {
    1184             :       /* 10.1.1.3 step 1: string length is concatenation of
    1185             :        * 1 byte, V and seed (which is concatenated entropy/addtl
    1186             :        * input)
    1187             :        */
    1188           0 :       memcpy (V, drbg->V, drbg_statelen (drbg));
    1189           0 :       drbg_string_fill (&data1, &prefix, 1);
    1190           0 :       drbg_string_fill (&data2, V, drbg_statelen (drbg));
    1191           0 :       data1.next = &data2;
    1192           0 :       data2.next = seed;
    1193             :     }
    1194             :   else
    1195             :     {
    1196           0 :       drbg_string_fill (&data1, seed->buf, seed->len);
    1197           0 :       data1.next = seed->next;
    1198             :     }
    1199             : 
    1200             :   /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
    1201           0 :   ret = drbg_hash_df (drbg, drbg->V, drbg_statelen (drbg), &data1);
    1202           0 :   if (ret)
    1203           0 :     goto out;
    1204             : 
    1205             :   /* 10.1.1.2 / 10.1.1.3 step 4 -- concatenation  */
    1206           0 :   prefix = DRBG_PREFIX0;
    1207           0 :   drbg_string_fill (&data1, &prefix, 1);
    1208           0 :   drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
    1209           0 :   data1.next = &data2;
    1210             :   /* 10.1.1.2 / 10.1.1.3 step 4 -- df operation */
    1211           0 :   ret = drbg_hash_df (drbg, drbg->C, drbg_statelen (drbg), &data1);
    1212             : 
    1213             :  out:
    1214           0 :   memset (drbg->scratchpad, 0, drbg_statelen (drbg));
    1215           0 :   return ret;
    1216             : }
    1217             : 
    1218             : /* Processing of additional information string for Hash DRBG.  */
    1219             : static gpg_err_code_t
    1220           0 : drbg_hash_process_addtl (drbg_state_t drbg, drbg_string_t *addtl)
    1221             : {
    1222           0 :   gpg_err_code_t ret = 0;
    1223             :   drbg_string_t data1, data2;
    1224             :   drbg_string_t *data3;
    1225           0 :   unsigned char prefix = DRBG_PREFIX2;
    1226             : 
    1227             :   /* this is value w as per documentation */
    1228           0 :   memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
    1229             : 
    1230             :   /* 10.1.1.4 step 2 */
    1231           0 :   if (!addtl || 0 == addtl->len)
    1232           0 :     return 0;
    1233             : 
    1234             :   /* 10.1.1.4 step 2a -- concatenation */
    1235           0 :   drbg_string_fill (&data1, &prefix, 1);
    1236           0 :   drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
    1237           0 :   data3 = addtl;
    1238           0 :   data1.next = &data2;
    1239           0 :   data2.next = data3;
    1240           0 :   data3->next = NULL;
    1241             :   /* 10.1.1.4 step 2a -- cipher invocation */
    1242           0 :   ret = drbg_hmac (drbg, NULL, drbg->scratchpad, &data1);
    1243           0 :   if (ret)
    1244           0 :     goto out;
    1245             : 
    1246             :   /* 10.1.1.4 step 2b */
    1247           0 :   drbg_add_buf (drbg->V, drbg_statelen (drbg),
    1248           0 :                      drbg->scratchpad, drbg_blocklen (drbg));
    1249             : 
    1250             :  out:
    1251           0 :   memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
    1252           0 :   return ret;
    1253             : }
    1254             : 
    1255             : /*
    1256             :  * Hashgen defined in 10.1.1.4
    1257             :  */
    1258             : static gpg_err_code_t
    1259           0 : drbg_hash_hashgen (drbg_state_t drbg,
    1260             :                    unsigned char *buf, unsigned int buflen)
    1261             : {
    1262           0 :   gpg_err_code_t ret = 0;
    1263           0 :   unsigned int len = 0;
    1264           0 :   unsigned char *src = drbg->scratchpad;
    1265           0 :   unsigned char *dst = drbg->scratchpad + drbg_statelen (drbg);
    1266             :   drbg_string_t data;
    1267           0 :   unsigned char prefix = DRBG_PREFIX1;
    1268             : 
    1269             :   /* use the scratchpad as a lookaside buffer */
    1270           0 :   memset (src, 0, drbg_statelen (drbg));
    1271           0 :   memset (dst, 0, drbg_blocklen (drbg));
    1272             : 
    1273             :   /* 10.1.1.4 step hashgen 2 */
    1274           0 :   memcpy (src, drbg->V, drbg_statelen (drbg));
    1275             : 
    1276           0 :   drbg_string_fill (&data, src, drbg_statelen (drbg));
    1277           0 :   while (len < buflen)
    1278             :     {
    1279           0 :       unsigned int outlen = 0;
    1280             :       /* 10.1.1.4 step hashgen 4.1 */
    1281           0 :       ret = drbg_hmac (drbg, NULL, dst, &data);
    1282           0 :       if (ret)
    1283           0 :         goto out;
    1284           0 :       outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
    1285           0 :         drbg_blocklen (drbg) : (buflen - len);
    1286             :       /* 10.1.1.4 step hashgen 4.2 */
    1287           0 :       memcpy (buf + len, dst, outlen);
    1288           0 :       len += outlen;
    1289             :       /* 10.1.1.4 hashgen step 4.3 */
    1290           0 :       if (len < buflen)
    1291           0 :         drbg_add_buf (src, drbg_statelen (drbg), &prefix, 1);
    1292             :     }
    1293             : 
    1294             :  out:
    1295           0 :   memset (drbg->scratchpad, 0,
    1296           0 :           (drbg_statelen (drbg) + drbg_blocklen (drbg)));
    1297           0 :   return ret;
    1298             : }
    1299             : 
    1300             : /* Generate function for Hash DRBG as defined in 10.1.1.4  */
    1301             : static gpg_err_code_t
    1302           0 : drbg_hash_generate (drbg_state_t drbg,
    1303             :                          unsigned char *buf, unsigned int buflen,
    1304             :                          drbg_string_t *addtl)
    1305             : {
    1306           0 :   gpg_err_code_t ret = 0;
    1307           0 :   unsigned char prefix = DRBG_PREFIX3;
    1308             :   drbg_string_t data1, data2;
    1309             :   union
    1310             :   {
    1311             :     unsigned char req[8];
    1312             :     u64 req_int;
    1313             :   } u;
    1314             : 
    1315             :   /*
    1316             :    * scratchpad usage: drbg_hash_process_addtl uses the scratchpad, but
    1317             :    * fully completes before returning. Thus, we can reuse the scratchpad
    1318             :    */
    1319             :   /* 10.1.1.4 step 2 */
    1320           0 :   ret = drbg_hash_process_addtl (drbg, addtl);
    1321           0 :   if (ret)
    1322           0 :     return ret;
    1323             :   /* 10.1.1.4 step 3 -- invocation of the Hashgen function defined in
    1324             :    * 10.1.1.4 */
    1325           0 :   ret = drbg_hash_hashgen (drbg, buf, buflen);
    1326           0 :   if (ret)
    1327           0 :     return ret;
    1328             : 
    1329             :   /* this is the value H as documented in 10.1.1.4 */
    1330           0 :   memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
    1331             :   /* 10.1.1.4 step 4 */
    1332           0 :   drbg_string_fill (&data1, &prefix, 1);
    1333           0 :   drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
    1334           0 :   data1.next = &data2;
    1335           0 :   ret = drbg_hmac (drbg, NULL, drbg->scratchpad, &data1);
    1336           0 :   if (ret)
    1337           0 :     goto out;
    1338             : 
    1339             :   /* 10.1.1.4 step 5 */
    1340           0 :   drbg_add_buf (drbg->V, drbg_statelen (drbg),
    1341           0 :                      drbg->scratchpad, drbg_blocklen (drbg));
    1342           0 :   drbg_add_buf (drbg->V, drbg_statelen (drbg), drbg->C,
    1343           0 :                      drbg_statelen (drbg));
    1344           0 :   u.req_int = be_bswap64 (drbg->reseed_ctr);
    1345           0 :   drbg_add_buf (drbg->V, drbg_statelen (drbg), u.req,
    1346             :                      sizeof (u.req));
    1347             : 
    1348             :  out:
    1349           0 :   memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
    1350           0 :   return ret;
    1351             : }
    1352             : 
    1353             : /*
    1354             :  * scratchpad usage: as update and generate are used isolated, both
    1355             :  * can use the scratchpad
    1356             :  */
    1357             : static struct drbg_state_ops_s drbg_hash_ops = {
    1358             :   drbg_hash_update,
    1359             :   drbg_hash_generate
    1360             : };
    1361             : 
    1362             : /******************************************************************
    1363             :  * Functions common for DRBG implementations
    1364             :  ******************************************************************/
    1365             : 
    1366             : /*
    1367             :  * Seeding or reseeding of the DRBG
    1368             :  *
    1369             :  * @drbg: DRBG state struct
    1370             :  * @pers: personalization / additional information buffer
    1371             :  * @reseed: 0 for initial seed process, 1 for reseeding
    1372             :  *
    1373             :  * return:
    1374             :  *      0 on success
    1375             :  *      error value otherwise
    1376             :  */
    1377             : static gpg_err_code_t
    1378           2 : drbg_seed (drbg_state_t drbg, drbg_string_t *pers, int reseed)
    1379             : {
    1380           2 :   gpg_err_code_t ret = 0;
    1381           2 :   unsigned char *entropy = NULL;
    1382           2 :   size_t entropylen = 0;
    1383             :   drbg_string_t data1;
    1384             : 
    1385             :   /* 9.1 / 9.2 / 9.3.1 step 3 */
    1386           2 :   if (pers && pers->len > (drbg_max_addtl ()))
    1387             :     {
    1388             :       dbg (("DRBG: personalization string too long %lu\n", pers->len));
    1389           0 :       return GPG_ERR_INV_ARG;
    1390             :     }
    1391           2 :   if (drbg->test_data && drbg->test_data->testentropy)
    1392             :     {
    1393           0 :       drbg_string_fill (&data1, drbg->test_data->testentropy->buf,
    1394           0 :                              drbg->test_data->testentropy->len);
    1395             :       dbg (("DRBG: using test entropy\n"));
    1396             :     }
    1397             :   else
    1398             :     {
    1399             :       /* Gather entropy equal to the security strength of the DRBG.
    1400             :        * With a derivation function, a nonce is required in addition
    1401             :        * to the entropy. A nonce must be at least 1/2 of the security
    1402             :        * strength of the DRBG in size. Thus, entropy * nonce is 3/2
    1403             :        * of the strength. The consideration of a nonce is only
    1404             :        * applicable during initial seeding. */
    1405           2 :       entropylen = drbg_sec_strength (drbg->core->flags);
    1406           2 :       if (!entropylen)
    1407           0 :         return GPG_ERR_GENERAL;
    1408           2 :       if (0 == reseed)
    1409             :         /* make sure we round up strength/2 in
    1410             :          * case it is not divisible by 2 */
    1411           2 :         entropylen = ((entropylen + 1) / 2) * 3;
    1412             :       dbg (("DRBG: (re)seeding with %lu bytes of entropy\n", entropylen));
    1413           2 :       entropy = xcalloc_secure (1, entropylen);
    1414           2 :       if (!entropy)
    1415           0 :         return GPG_ERR_ENOMEM;
    1416           2 :       ret = drbg_get_entropy (drbg, entropy, entropylen);
    1417           2 :       if (ret)
    1418           0 :         goto out;
    1419           2 :       drbg_string_fill (&data1, entropy, entropylen);
    1420             :     }
    1421             : 
    1422             :   /* concatenation of entropy with personalization str / addtl input)
    1423             :    * the variable pers is directly handed by the caller, check its
    1424             :    * contents whether it is appropriate */
    1425           2 :   if (pers && pers->buf && 0 < pers->len && NULL == pers->next)
    1426             :     {
    1427           0 :       data1.next = pers;
    1428             :       dbg (("DRBG: using personalization string\n"));
    1429             :     }
    1430             : 
    1431           2 :   ret = drbg->d_ops->update (drbg, &data1, reseed);
    1432             :   dbg (("DRBG: state updated with seed\n"));
    1433           2 :   if (ret)
    1434           0 :     goto out;
    1435           2 :   drbg->seeded = 1;
    1436             :   /* 10.1.1.2 / 10.1.1.3 step 5 */
    1437           2 :   drbg->reseed_ctr = 1;
    1438             : 
    1439             :  out:
    1440           2 :   xfree (entropy);
    1441           2 :   return ret;
    1442             : }
    1443             : 
    1444             : 
    1445             : /*************************************************************************
    1446             :  * Exported interfaces.
    1447             :  *************************************************************************/
    1448             : 
    1449             : /*
    1450             :  * DRBG generate function as required by SP800-90A - this function
    1451             :  * generates random numbers
    1452             :  *
    1453             :  * @drbg   DRBG state handle
    1454             :  * @buf    Buffer where to store the random numbers -- the buffer must already
    1455             :  *         be pre-allocated by caller
    1456             :  * @buflen Length of output buffer - this value defines the number of random
    1457             :  *         bytes pulled from DRBG
    1458             :  * @addtl  Additional input that is mixed into state, may be NULL -- note
    1459             :  *         the entropy is pulled by the DRBG internally unconditionally
    1460             :  *         as defined in SP800-90A. The additional input is mixed into
    1461             :  *         the state in addition to the pulled entropy.
    1462             :  *
    1463             :  * return: Generated number of bytes.
    1464             :  */
    1465             : static gpg_err_code_t
    1466           6 : drbg_generate (drbg_state_t drbg,
    1467             :                unsigned char *buf, unsigned int buflen,
    1468             :                drbg_string_t *addtl)
    1469             : {
    1470           6 :   gpg_err_code_t ret = GPG_ERR_INV_ARG;
    1471             : 
    1472           6 :   if (0 == buflen || !buf)
    1473             :     {
    1474             :       dbg (("DRBG: no buffer provided\n"));
    1475           0 :       return ret;
    1476             :     }
    1477           6 :   if (addtl && NULL == addtl->buf && 0 < addtl->len)
    1478             :     {
    1479             :       dbg (("DRBG: wrong format of additional information\n"));
    1480           0 :       return ret;
    1481             :     }
    1482             : 
    1483             :   /* 9.3.1 step 2 */
    1484           6 :   if (buflen > (drbg_max_request_bytes ()))
    1485             :     {
    1486             :       dbg (("DRBG: requested random numbers too large %u\n", buflen));
    1487           0 :       return ret;
    1488             :     }
    1489             :   /* 9.3.1 step 3 is implicit with the chosen DRBG */
    1490             :   /* 9.3.1 step 4 */
    1491           6 :   if (addtl && addtl->len > (drbg_max_addtl ()))
    1492             :     {
    1493             :       dbg (("DRBG: additional information string too long %lu\n",
    1494             :             addtl->len));
    1495           0 :       return ret;
    1496             :     }
    1497             :   /* 9.3.1 step 5 is implicit with the chosen DRBG */
    1498             :   /* 9.3.1 step 6 and 9 supplemented by 9.3.2 step c -- the spec is a
    1499             :    * bit convoluted here, we make it simpler */
    1500           6 :   if ((drbg_max_requests ()) < drbg->reseed_ctr)
    1501           0 :     drbg->seeded = 0;
    1502             : 
    1503           6 :   if (drbg->pr || !drbg->seeded)
    1504             :     {
    1505             :       dbg (("DRBG: reseeding before generation (prediction resistance: %s, state %s)\n", drbg->pr ? "true" : "false", drbg->seeded ? "seeded" : "unseeded"));
    1506             :       /* 9.3.1 steps 7.1 through 7.3 */
    1507           0 :       ret = drbg_seed (drbg, addtl, 1);
    1508           0 :       if (ret)
    1509           0 :         return ret;
    1510             :       /* 9.3.1 step 7.4 */
    1511           0 :       addtl = NULL;
    1512             :     }
    1513             : 
    1514           6 :   if (addtl && addtl->buf)
    1515             :     {
    1516             :       dbg (("DRBG: using additional information string\n"));
    1517             :     }
    1518             : 
    1519             :   /* 9.3.1 step 8 and 10 */
    1520           6 :   ret = drbg->d_ops->generate (drbg, buf, buflen, addtl);
    1521             : 
    1522             :   /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
    1523           6 :   drbg->reseed_ctr++;
    1524           6 :   if (ret)
    1525           0 :     return ret;
    1526             : 
    1527             :   /* 11.3.3 -- re-perform self tests after some generated random
    1528             :    * numbers, the chosen value after which self test is performed
    1529             :    * is arbitrary, but it should be reasonable */
    1530             :   /* Here we do not perform the self tests because of the following
    1531             :    * reasons: it is mathematically impossible that the initial self tests
    1532             :    * were successfully and the following are not. If the initial would
    1533             :    * pass and the following would not, the system integrity is violated.
    1534             :    * In this case, the entire system operation is questionable and it
    1535             :    * is unlikely that the integrity violation only affects to the
    1536             :    * correct operation of the DRBG.
    1537             :    */
    1538             : #if 0
    1539             :   if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096))
    1540             :     {
    1541             :       dbg (("DRBG: start to perform self test\n"));
    1542             :       ret = drbg_healthcheck ();
    1543             :       if (ret)
    1544             :         {
    1545             :           log_fatal (("DRBG: self test failed\n"));
    1546             :           return ret;
    1547             :         }
    1548             :       else
    1549             :         {
    1550             :           dbg (("DRBG: self test successful\n"));
    1551             :         }
    1552             :     }
    1553             : #endif
    1554             : 
    1555           6 :   return ret;
    1556             : }
    1557             : 
    1558             : /*
    1559             :  * Wrapper around drbg_generate which can pull arbitrary long strings
    1560             :  * from the DRBG without hitting the maximum request limitation.
    1561             :  *
    1562             :  * Parameters: see drbg_generate
    1563             :  * Return codes: see drbg_generate -- if one drbg_generate request fails,
    1564             :  *               the entire drbg_generate_long request fails
    1565             :  */
    1566             : static gpg_err_code_t
    1567           6 : drbg_generate_long (drbg_state_t drbg,
    1568             :                     unsigned char *buf, unsigned int buflen,
    1569             :                     drbg_string_t *addtl)
    1570             : {
    1571           6 :   gpg_err_code_t ret = 0;
    1572           6 :   unsigned int slice = 0;
    1573           6 :   unsigned char *buf_p = buf;
    1574           6 :   unsigned len = 0;
    1575             :   do
    1576             :     {
    1577           6 :       unsigned int chunk = 0;
    1578           6 :       slice = ((buflen - len) / drbg_max_request_bytes ());
    1579           6 :       chunk = slice ? drbg_max_request_bytes () : (buflen - len);
    1580           6 :       ret = drbg_generate (drbg, buf_p, chunk, addtl);
    1581           6 :       if (ret)
    1582           0 :         return ret;
    1583           6 :       buf_p += chunk;
    1584           6 :       len += chunk;
    1585             :     }
    1586           6 :   while (slice > 0 && (len < buflen));
    1587           6 :   return ret;
    1588             : }
    1589             : 
    1590             : /*
    1591             :  * DRBG uninstantiate function as required by SP800-90A - this function
    1592             :  * frees all buffers and the DRBG handle
    1593             :  *
    1594             :  * @drbg DRBG state handle
    1595             :  *
    1596             :  * return
    1597             :  *      0 on success
    1598             :  */
    1599             : static gpg_err_code_t
    1600           0 : drbg_uninstantiate (drbg_state_t drbg)
    1601             : {
    1602           0 :   if (!drbg)
    1603           0 :     return GPG_ERR_INV_ARG;
    1604           0 :   xfree (drbg->V);
    1605           0 :   drbg->V = NULL;
    1606           0 :   xfree (drbg->C);
    1607           0 :   drbg->C = NULL;
    1608           0 :   drbg->reseed_ctr = 0;
    1609           0 :   xfree (drbg->scratchpad);
    1610           0 :   drbg->scratchpad = NULL;
    1611           0 :   drbg->seeded = 0;
    1612           0 :   drbg->pr = 0;
    1613           0 :   drbg->seed_init_pid = 0;
    1614           0 :   return 0;
    1615             : }
    1616             : 
    1617             : /*
    1618             :  * DRBG instantiation function as required by SP800-90A - this function
    1619             :  * sets up the DRBG handle, performs the initial seeding and all sanity
    1620             :  * checks required by SP800-90A
    1621             :  *
    1622             :  * @drbg memory of state -- if NULL, new memory is allocated
    1623             :  * @pers Personalization string that is mixed into state, may be NULL -- note
    1624             :  *       the entropy is pulled by the DRBG internally unconditionally
    1625             :  *       as defined in SP800-90A. The additional input is mixed into
    1626             :  *       the state in addition to the pulled entropy.
    1627             :  * @coreref reference to core
    1628             :  * @flags Flags defining the requested DRBG type and cipher type. The flags
    1629             :  *        are defined in drbg.h and may be XORed. Beware, if you XOR multiple
    1630             :  *        cipher types together, the code picks the core on a first come first
    1631             :  *        serve basis as it iterates through the available cipher cores and
    1632             :  *        uses the one with the first match. The minimum required flags are:
    1633             :  *              cipher type flag
    1634             :  *
    1635             :  * return
    1636             :  *      0 on success
    1637             :  *      error value otherwise
    1638             :  */
    1639             : static gpg_err_code_t
    1640           2 : drbg_instantiate (drbg_state_t drbg,
    1641             :                   drbg_string_t *pers, int coreref, int pr)
    1642             : {
    1643           2 :   gpg_err_code_t ret = GPG_ERR_ENOMEM;
    1644           2 :   unsigned int sb_size = 0;
    1645             : 
    1646           2 :   if (!drbg)
    1647           0 :     return GPG_ERR_INV_ARG;
    1648             : 
    1649             :   dbg (("DRBG: Initializing DRBG core %d with prediction resistance %s\n",
    1650             :         coreref, pr ? "enabled" : "disabled"));
    1651           2 :   drbg->core = &drbg_cores[coreref];
    1652           2 :   drbg->pr = pr;
    1653           2 :   drbg->seeded = 0;
    1654           2 :   if (drbg->core->flags & DRBG_HMAC)
    1655           2 :     drbg->d_ops = &drbg_hmac_ops;
    1656           0 :   else if (drbg->core->flags & DRBG_HASH_MASK)
    1657           0 :     drbg->d_ops = &drbg_hash_ops;
    1658           0 :   else if (drbg->core->flags & DRBG_CTR_MASK)
    1659           0 :     drbg->d_ops = &drbg_ctr_ops;
    1660             :   else
    1661           0 :     return GPG_ERR_GENERAL;
    1662             :   /* 9.1 step 1 is implicit with the selected DRBG type -- see
    1663             :    * drbg_sec_strength() */
    1664             : 
    1665             :   /* 9.1 step 2 is implicit as caller can select prediction resistance
    1666             :    * and the flag is copied into drbg->flags --
    1667             :    * all DRBG types support prediction resistance */
    1668             : 
    1669             :   /* 9.1 step 4 is implicit in  drbg_sec_strength */
    1670             : 
    1671             :   /* no allocation of drbg as this is done by the kernel crypto API */
    1672           2 :   drbg->V = xcalloc_secure (1, drbg_statelen (drbg));
    1673           2 :   if (!drbg->V)
    1674           0 :     goto err;
    1675           2 :   drbg->C = xcalloc_secure (1, drbg_statelen (drbg));
    1676           2 :   if (!drbg->C)
    1677           0 :     goto err;
    1678             :   /* scratchpad is only generated for CTR and Hash */
    1679           2 :   if (drbg->core->flags & DRBG_HMAC)
    1680           2 :     sb_size = 0;
    1681           0 :   else if (drbg->core->flags & DRBG_CTR_MASK)
    1682           0 :     sb_size = drbg_statelen (drbg) + drbg_blocklen (drbg) +     /* temp */
    1683           0 :       drbg_statelen (drbg) +    /* df_data */
    1684           0 :       drbg_blocklen (drbg) +    /* pad */
    1685           0 :       drbg_blocklen (drbg) +    /* iv */
    1686           0 :       drbg_statelen (drbg) + drbg_blocklen (drbg);      /* temp */
    1687             :   else
    1688           0 :     sb_size = drbg_statelen (drbg) + drbg_blocklen (drbg);
    1689             : 
    1690           2 :   if (0 < sb_size)
    1691             :     {
    1692           0 :       drbg->scratchpad = xcalloc_secure (1, sb_size);
    1693           0 :       if (!drbg->scratchpad)
    1694           0 :         goto err;
    1695             :     }
    1696             :   dbg (("DRBG: state allocated with scratchpad size %u bytes\n", sb_size));
    1697             : 
    1698             :   /* 9.1 step 6 through 11 */
    1699           2 :   ret = drbg_seed (drbg, pers, 0);
    1700           2 :   if (ret)
    1701           0 :     goto err;
    1702             : 
    1703             :   dbg (("DRBG: core %d %s prediction resistance successfully initialized\n",
    1704             :         coreref, pr ? "with" : "without"));
    1705           2 :   return 0;
    1706             : 
    1707             :  err:
    1708           0 :   drbg_uninstantiate (drbg);
    1709           0 :   return ret;
    1710             : }
    1711             : 
    1712             : /*
    1713             :  * DRBG reseed function as required by SP800-90A
    1714             :  *
    1715             :  * @drbg DRBG state handle
    1716             :  * @addtl Additional input that is mixed into state, may be NULL -- note
    1717             :  *              the entropy is pulled by the DRBG internally unconditionally
    1718             :  *              as defined in SP800-90A. The additional input is mixed into
    1719             :  *              the state in addition to the pulled entropy.
    1720             :  *
    1721             :  * return
    1722             :  *      0 on success
    1723             :  *      error value otherwise
    1724             :  */
    1725             : static gpg_err_code_t
    1726           0 : drbg_reseed (drbg_state_t drbg,drbg_string_t *addtl)
    1727             : {
    1728           0 :   gpg_err_code_t ret = 0;
    1729           0 :   ret = drbg_seed (drbg, addtl, 1);
    1730           0 :   return ret;
    1731             : }
    1732             : 
    1733             : 
    1734             : 
    1735             : /******************************************************************
    1736             :  * Libgcrypt integration code.
    1737             :  ******************************************************************/
    1738             : 
    1739             : /***************************************************
    1740             :  * Libgcrypt backend functions to the RNG API code.
    1741             :  ***************************************************/
    1742             : 
    1743             : static inline void
    1744          12 : drbg_lock (void)
    1745             : {
    1746             :   gpg_err_code_t ec;
    1747             : 
    1748          12 :   ec = gpgrt_lock_lock (&drbg_lock_var);
    1749          12 :   if (ec)
    1750           0 :     log_fatal ("failed to acquire the RNG lock: %s\n", gpg_strerror (ec));
    1751          12 : }
    1752             : 
    1753             : static inline void
    1754          12 : drbg_unlock (void)
    1755             : {
    1756             :   gpg_err_code_t ec;
    1757             : 
    1758          12 :   ec = gpgrt_lock_unlock (&drbg_lock_var);
    1759          12 :   if (ec)
    1760           0 :     log_fatal ("failed to release the RNG lock: %s\n", gpg_strerror (ec));
    1761          12 : }
    1762             : 
    1763             : /* Basic initialization is required to initialize mutexes and
    1764             :    do a few checks on the implementation.  */
    1765             : static void
    1766           8 : basic_initialization (void)
    1767             : {
    1768             :   static int initialized;
    1769             : 
    1770           8 :   if (initialized)
    1771          14 :     return;
    1772           2 :   initialized = 1;
    1773             : 
    1774             :   /* Make sure that we are still using the values we have
    1775             :      traditionally used for the random levels.  */
    1776             :   gcry_assert (GCRY_WEAK_RANDOM == 0
    1777             :                && GCRY_STRONG_RANDOM == 1
    1778             :                && GCRY_VERY_STRONG_RANDOM == 2);
    1779             : }
    1780             : 
    1781             : /****** helper functions where lock must be held by caller *****/
    1782             : 
    1783             : /* Check whether given flags are known to point to an applicable DRBG */
    1784             : static gpg_err_code_t
    1785           2 : drbg_algo_available (u32 flags, int *coreref)
    1786             : {
    1787           2 :   int i = 0;
    1788          12 :   for (i = 0; ARRAY_SIZE (drbg_cores) > i; i++)
    1789             :     {
    1790          12 :       if ((drbg_cores[i].flags & DRBG_CIPHER_MASK) ==
    1791             :           (flags & DRBG_CIPHER_MASK))
    1792             :         {
    1793           2 :           *coreref = i;
    1794           2 :           return 0;
    1795             :         }
    1796             :     }
    1797           0 :   return GPG_ERR_GENERAL;
    1798             : }
    1799             : 
    1800             : static gpg_err_code_t
    1801           2 : _drbg_init_internal (u32 flags, drbg_string_t *pers)
    1802             : {
    1803             :   static u32 oldflags;
    1804           2 :   gpg_err_code_t ret = 0;
    1805           2 :   int coreref = 0;
    1806           2 :   int pr = 0;
    1807             : 
    1808             :   /* If a caller provides 0 as flags, use the flags of the previous
    1809             :    * initialization, otherwise use the current flags and remember them
    1810             :    * for the next invocation.  If no flag is given and no global state
    1811             :    * is set this is the first initialization and we set the default
    1812             :    * type.
    1813             :    */
    1814           2 :   if (!flags && !drbg_state)
    1815           2 :     flags = oldflags = DRBG_DEFAULT_TYPE;
    1816           0 :   else if (!flags)
    1817           0 :     flags = oldflags;
    1818             :   else
    1819           0 :     oldflags = flags;
    1820             : 
    1821           2 :   ret = drbg_algo_available (flags, &coreref);
    1822           2 :   if (ret)
    1823           0 :     return ret;
    1824             : 
    1825           2 :   if (drbg_state)
    1826             :     {
    1827           0 :       drbg_uninstantiate (drbg_state);
    1828             :     }
    1829             :   else
    1830             :     {
    1831           2 :       drbg_state = xtrycalloc_secure (1, sizeof *drbg_state);
    1832           2 :       if (!drbg_state)
    1833           0 :         return gpg_err_code_from_syserror ();
    1834             :     }
    1835           2 :   if (flags & DRBG_PREDICTION_RESIST)
    1836           0 :     pr = 1;
    1837           2 :   ret = drbg_instantiate (drbg_state, pers, coreref, pr);
    1838           2 :   if (ret)
    1839           0 :     fips_signal_error ("DRBG cannot be initialized");
    1840             :   else
    1841           2 :     drbg_state->seed_init_pid = getpid ();
    1842           2 :   return ret;
    1843             : }
    1844             : 
    1845             : /************* calls available to common RNG code **************/
    1846             : 
    1847             : /*
    1848             :  * Initialize one DRBG invoked by the libgcrypt API
    1849             :  */
    1850             : void
    1851           8 : _gcry_rngdrbg_inititialize (int full)
    1852             : {
    1853           8 :   basic_initialization ();
    1854           8 :   if (!full)
    1855          10 :       return;
    1856           6 :   drbg_lock ();
    1857           6 :   if (!drbg_state)
    1858           2 :     _drbg_init_internal (0, NULL);
    1859           6 :   drbg_unlock ();
    1860             : }
    1861             : 
    1862             : /*
    1863             :  * Backend handler function for GCRYCTL_DRBG_REINIT
    1864             :  *
    1865             :  * Select a different DRBG type and initialize it.
    1866             :  * Function checks whether requested DRBG type exists and returns an error in
    1867             :  * case it does not. In case of an error, the previous instantiated DRBG is
    1868             :  * left untouched and alive. Thus, in case of an error, a DRBG is always
    1869             :  * available, even if it is not the chosen one.
    1870             :  *
    1871             :  * Re-initialization will be performed in any case regardless whether flags
    1872             :  * or personalization string are set.
    1873             :  *
    1874             :  * If flags is NULL, do not change current DRBG.  If PERS is NULL and
    1875             :  * NPERS is 0, re-initialize without personalization string.  If PERS
    1876             :  * is not NULL NPERS must be one and PERS and the first ietm from the
    1877             :  * bufer is take as personalization string.
    1878             :  */
    1879             : gpg_err_code_t
    1880           0 : _gcry_rngdrbg_reinit (const char *flagstr, gcry_buffer_t *pers, int npers)
    1881             : {
    1882             :   gpg_err_code_t ret;
    1883             :   unsigned int flags;
    1884             : 
    1885             :   /* If PERS is not given we expect NPERS to be zero; if given we
    1886             :      expect a one-item array.  */
    1887           0 :   if ((!pers && npers) || (pers && npers != 1))
    1888           0 :     return GPG_ERR_INV_ARG;
    1889             : 
    1890           0 :   ret = parse_flag_string (flagstr, &flags);
    1891           0 :   if (!ret)
    1892             :     {
    1893             :       dbg (("DRBG: reinitialize internal DRBG state with flags %u\n", flags));
    1894           0 :       drbg_lock ();
    1895           0 :       if (pers)
    1896             :         {
    1897             :           drbg_string_t persbuf;
    1898             : 
    1899           0 :           drbg_string_fill
    1900           0 :             (&persbuf, (const unsigned char *)pers[0].data + pers[0].off,
    1901             :              pers[0].len);
    1902           0 :           ret = _drbg_init_internal (flags, &persbuf);
    1903             :         }
    1904             :       else
    1905           0 :         ret = _drbg_init_internal (flags, NULL);
    1906           0 :       drbg_unlock ();
    1907             :     }
    1908           0 :   return ret;
    1909             : }
    1910             : 
    1911             : /* Try to close the FDs of the random gather module.  This is
    1912             :  * currently only implemented for rndlinux. */
    1913             : void
    1914           0 : _gcry_rngdrbg_close_fds (void)
    1915             : {
    1916             : #if USE_RNDLINUX
    1917           0 :   drbg_lock ();
    1918           0 :   _gcry_rndlinux_gather_random (NULL, 0, 0, 0);
    1919           0 :   drbg_unlock ();
    1920             : #endif
    1921           0 : }
    1922             : 
    1923             : /* Print some statistics about the RNG.  */
    1924             : void
    1925           0 : _gcry_rngdrbg_dump_stats (void)
    1926             : {
    1927             :   /* Not yet implemented.  */
    1928             :   /* Maybe dumping of reseed counter? */
    1929           0 : }
    1930             : 
    1931             : /* This function returns true if no real RNG is available or the
    1932             :  * quality of the RNG has been degraded for test purposes.  */
    1933             : int
    1934           0 : _gcry_rngdrbg_is_faked (void)
    1935             : {
    1936           0 :   return 0;                     /* Faked random is not allowed.  */
    1937             : }
    1938             : 
    1939             : /* Add BUFLEN bytes from BUF to the internal random pool.  QUALITY
    1940             :  * should be in the range of 0..100 to indicate the goodness of the
    1941             :  * entropy added, or -1 for goodness not known. */
    1942             : gcry_error_t
    1943           0 : _gcry_rngdrbg_add_bytes (const void *buf, size_t buflen, int quality)
    1944             : {
    1945           0 :   gpg_err_code_t ret = 0;
    1946             :   drbg_string_t seed;
    1947             :   (void) quality;
    1948           0 :   _gcry_rngdrbg_inititialize (1); /* Auto-initialize if needed */
    1949           0 :   if (!drbg_state)
    1950           0 :     return GPG_ERR_GENERAL;
    1951           0 :   drbg_string_fill (&seed, (unsigned char *) buf, buflen);
    1952           0 :   drbg_lock ();
    1953           0 :   ret = drbg_reseed (drbg_state, &seed);
    1954           0 :   drbg_unlock ();
    1955           0 :   return ret;
    1956             : }
    1957             : 
    1958             : /* This function is to be used for all types of random numbers, including
    1959             :  * nonces
    1960             :  */
    1961             : void
    1962           6 : _gcry_rngdrbg_randomize (void *buffer, size_t length,
    1963             :                       enum gcry_random_level level)
    1964             : {
    1965             :   (void) level;
    1966           6 :   _gcry_rngdrbg_inititialize (1); /* Auto-initialize if needed */
    1967           6 :   drbg_lock ();
    1968           6 :   if (!drbg_state)
    1969             :     {
    1970           0 :       fips_signal_error ("DRBG is not initialized");
    1971           0 :       goto bailout;
    1972             :     }
    1973             : 
    1974             :   /* As reseeding changes the entire state of the DRBG, including any
    1975             :    * key, either a re-init or a reseed is sufficient for a fork */
    1976           6 :   if (drbg_state->seed_init_pid != getpid ())
    1977             :     {
    1978             :       /* We are in a child of us. Perform a reseeding. */
    1979           0 :       if (drbg_reseed (drbg_state, NULL))
    1980             :         {
    1981           0 :           fips_signal_error ("reseeding upon fork failed");
    1982           0 :           log_fatal ("severe error getting random\n");
    1983             :           goto bailout;
    1984             :         }
    1985             :     }
    1986             :   /* potential integer overflow is covered by drbg_generate which
    1987             :    * ensures that length cannot overflow an unsigned int */
    1988           6 :   if (0 < length)
    1989             :     {
    1990           6 :       if (!buffer)
    1991           0 :         goto bailout;
    1992           6 :       if (drbg_generate_long (drbg_state, buffer, (unsigned int) length, NULL))
    1993           0 :         log_fatal ("No random numbers generated\n");
    1994             :     }
    1995             :   else
    1996             :     {
    1997           0 :       drbg_gen_t *data = (drbg_gen_t *)buffer;
    1998             :       /* catch NULL pointer */
    1999           0 :       if (!data || !data->outbuf)
    2000             :         {
    2001           0 :           fips_signal_error ("No output buffer provided");
    2002           0 :           goto bailout;
    2003             :         }
    2004           0 :       if (drbg_generate_long (drbg_state, data->outbuf, data->outlen,
    2005             :                               data->addtl))
    2006           0 :         log_fatal ("No random numbers generated\n");
    2007             :     }
    2008             : 
    2009             :  bailout:
    2010           6 :   drbg_unlock ();
    2011           6 :   return;
    2012             : 
    2013             : }
    2014             : 
    2015             : /***************************************************************
    2016             :  * Self-test code
    2017             :  ***************************************************************/
    2018             : 
    2019             : /*
    2020             :  * Test vectors from
    2021             :  * http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgtestvectors.zip
    2022             :  */
    2023             : struct gcry_drbg_test_vector drbg_test_pr[] = {
    2024             :   {
    2025             :     /* .flags = */ "sha256 pr" /* DRBG_PR_HASHSHA256 */,
    2026             :     /* .entropy = */ (unsigned char *)
    2027             :     "\x5d\xf2\x14\xbc\xf6\xb5\x4e\x0b\xf0\x0d\x6f\x2d"
    2028             :     "\xe2\x01\x66\x7b\xd0\xa4\x73\xa4\x21\xdd\xb0\xc0"
    2029             :     "\x51\x79\x09\xf4\xea\xa9\x08\xfa\xa6\x67\xe0\xe1"
    2030             :     "\xd1\x88\xa8\xad\xee\x69\x74\xb3\x55\x06\x9b\xf6",
    2031             :     /* .entropylen = */ 48,
    2032             :     /* .entpra = */ (unsigned char *)
    2033             :     "\xef\x48\x06\xa2\xc2\x45\xf1\x44\xfa\x34\x2c\xeb"
    2034             :     "\x8d\x78\x3c\x09\x8f\x34\x72\x20\xf2\xe7\xfd\x13"
    2035             :     "\x76\x0a\xf6\xdc\x3c\xf5\xc0\x15",
    2036             :     /* .entprb = */ (unsigned char *)
    2037             :     "\x4b\xbe\xe5\x24\xed\x6a\x2d\x0c\xdb\x73\x5e\x09"
    2038             :     "\xf9\xad\x67\x7c\x51\x47\x8b\x6b\x30\x2a\xc6\xde"
    2039             :     "\x76\xaa\x55\x04\x8b\x0a\x72\x95",
    2040             :     /* .entprlen = */ 32,
    2041             :     /* .addtla = */ (unsigned char *)
    2042             :     "\xbe\x13\xdb\x2a\xe9\xa8\xfe\x09\x97\xe1\xce\x5d"
    2043             :     "\xe8\xbb\xc0\x7c\x4f\xcb\x62\x19\x3f\x0f\xd2\xad"
    2044             :     "\xa9\xd0\x1d\x59\x02\xc4\xff\x70",
    2045             :     /* .addtlb = */ (unsigned char *)
    2046             :     "\x6f\x96\x13\xe2\xa7\xf5\x6c\xfe\xdf\x66\xe3\x31"
    2047             :     "\x63\x76\xbf\x20\x27\x06\x49\xf1\xf3\x01\x77\x41"
    2048             :     "\x9f\xeb\xe4\x38\xfe\x67\x00\xcd",
    2049             :     /* .addtllen = */ 32,
    2050             :     /* .pers = */ NULL,
    2051             :     /* .perslen = */ 0,
    2052             :     /* .expected = */ (unsigned char *)
    2053             :     "\x3b\x14\x71\x99\xa1\xda\xa0\x42\xe6\xc8\x85\x32"
    2054             :     "\x70\x20\x32\x53\x9a\xbe\xd1\x1e\x15\xef\xfb\x4c"
    2055             :     "\x25\x6e\x19\x3a\xf0\xb9\xcb\xde\xf0\x3b\xc6\x18"
    2056             :     "\x4d\x85\x5a\x9b\xf1\xe3\xc2\x23\x03\x93\x08\xdb"
    2057             :     "\xa7\x07\x4b\x33\x78\x40\x4d\xeb\x24\xf5\x6e\x81"
    2058             :     "\x4a\x1b\x6e\xa3\x94\x52\x43\xb0\xaf\x2e\x21\xf4"
    2059             :     "\x42\x46\x8e\x90\xed\x34\x21\x75\xea\xda\x67\xb6"
    2060             :     "\xe4\xf6\xff\xc6\x31\x6c\x9a\x5a\xdb\xb3\x97\x13"
    2061             :     "\x09\xd3\x20\x98\x33\x2d\x6d\xd7\xb5\x6a\xa8\xa9"
    2062             :     "\x9a\x5b\xd6\x87\x52\xa1\x89\x2b\x4b\x9c\x64\x60"
    2063             :     "\x50\x47\xa3\x63\x81\x16\xaf\x19",
    2064             :     /* .expectedlen = */ 128,
    2065             :     /* .entropyreseed = */ NULL,
    2066             :     /* .entropyreseed_len = */ 0,
    2067             :     /* .addtl_reseed = */ NULL,
    2068             :     /* .addtl_reseed_len = */ 0
    2069             :   },
    2070             :   {
    2071             :     /* flags = */ "hmac sha256 pr" /* DRBG_PR_HMACSHA256 */,
    2072             :     /* .entropy = */ (unsigned char *)
    2073             :     "\x13\x54\x96\xfc\x1b\x7d\x28\xf3\x18\xc9\xa7\x89"
    2074             :     "\xb6\xb3\xc8\x72\xac\x00\xd4\x59\x36\x25\x05\xaf"
    2075             :     "\xa5\xdb\x96\xcb\x3c\x58\x46\x87\xa5\xaa\xbf\x20"
    2076             :     "\x3b\xfe\x23\x0e\xd1\xc7\x41\x0f\x3f\xc9\xb3\x67",
    2077             :     /* .entropylen = */ 48,
    2078             :     /* .entpra = */ (unsigned char *)
    2079             :     "\xe2\xbd\xb7\x48\x08\x06\xf3\xe1\x93\x3c\xac\x79"
    2080             :     "\xa7\x2b\x11\xda\xe3\x2e\xe1\x91\xa5\x02\x19\x57"
    2081             :     "\x20\x28\xad\xf2\x60\xd7\xcd\x45",
    2082             :     /* .entprb = */ (unsigned char *)
    2083             :     "\x8b\xd4\x69\xfc\xff\x59\x95\x95\xc6\x51\xde\x71"
    2084             :     "\x68\x5f\xfc\xf9\x4a\xab\xec\x5a\xcb\xbe\xd3\x66"
    2085             :     "\x1f\xfa\x74\xd3\xac\xa6\x74\x60",
    2086             :     /* .entprlen = */ 32,
    2087             :     /* .addtla = */ NULL,
    2088             :     /* .addtlb = */ NULL,
    2089             :     /* .addtllen = */ 0,
    2090             :     /* .pers = */ (unsigned char *)
    2091             :     "\x64\xb6\xfc\x60\xbc\x61\x76\x23\x6d\x3f\x4a\x0f"
    2092             :     "\xe1\xb4\xd5\x20\x9e\x70\xdd\x03\x53\x6d\xbf\xce"
    2093             :     "\xcd\x56\x80\xbc\xb8\x15\xc8\xaa",
    2094             :     /* .perslen = */ 32,
    2095             :     /* .expected = */ (unsigned char *)
    2096             :     "\x1f\x9e\xaf\xe4\xd2\x46\xb7\x47\x41\x4c\x65\x99"
    2097             :     "\x01\xe9\x3b\xbb\x83\x0c\x0a\xb0\xc1\x3a\xe2\xb3"
    2098             :     "\x31\x4e\xeb\x93\x73\xee\x0b\x26\xc2\x63\xa5\x75"
    2099             :     "\x45\x99\xd4\x5c\x9f\xa1\xd4\x45\x87\x6b\x20\x61"
    2100             :     "\x40\xea\x78\xa5\x32\xdf\x9e\x66\x17\xaf\xb1\x88"
    2101             :     "\x9e\x2e\x23\xdd\xc1\xda\x13\x97\x88\xa5\xb6\x5e"
    2102             :     "\x90\x14\x4e\xef\x13\xab\x5c\xd9\x2c\x97\x9e\x7c"
    2103             :     "\xd7\xf8\xce\xea\x81\xf5\xcd\x71\x15\x49\x44\xce"
    2104             :     "\x83\xb6\x05\xfb\x7d\x30\xb5\x57\x2c\x31\x4f\xfc"
    2105             :     "\xfe\x80\xb6\xc0\x13\x0c\x5b\x9b\x2e\x8f\x3d\xfc"
    2106             :     "\xc2\xa3\x0c\x11\x1b\x80\x5f\xf3",
    2107             :     /* .expectedlen = */ 128,
    2108             :     /* .entropyreseed = */ NULL,
    2109             :     /* .entropyreseed_len = */ 0,
    2110             :     /* .addtl_reseed = */ NULL,
    2111             :     /* .addtl_reseed_len = */ 0
    2112             :   },
    2113             :   {
    2114             :     /* .flags = */ "aes sym128 pr", /* DRBG_PR_CTRAES128 */
    2115             :     /* .entropy = */ (unsigned char *)
    2116             :     "\x92\x89\x8f\x31\xfa\x1c\xff\x6d\x18\x2f\x26\x06"
    2117             :     "\x43\xdf\xf8\x18\xc2\xa4\xd9\x72\xc3\xb9\xb6\x97",
    2118             :     /* .entropylen = */ 24,
    2119             :     /* .entpra = */ (unsigned char *)
    2120             :     "\x20\x72\x8a\x06\xf8\x6f\x8d\xd4\x41\xe2\x72\xb7"
    2121             :     "\xc4\x2c\xe8\x10",
    2122             :     /* .entprb = */ (unsigned char *)
    2123             :     "\x3d\xb0\xf0\x94\xf3\x05\x50\x33\x17\x86\x3e\x22"
    2124             :     "\x08\xf7\xa5\x01",
    2125             :     /* .entprlen = */ 16,
    2126             :     /* .addtla = */ (unsigned char *)
    2127             :     "\x1a\x40\xfa\xe3\xcc\x6c\x7c\xa0\xf8\xda\xba\x59"
    2128             :     "\x23\x6d\xad\x1d",
    2129             :     /* .addtlb = */ (unsigned char *)
    2130             :     "\x9f\x72\x76\x6c\xc7\x46\xe5\xed\x2e\x53\x20\x12"
    2131             :     "\xbc\x59\x31\x8c",
    2132             :     /* .addtllen = */ 16,
    2133             :     /* .pers = */ (unsigned char *)
    2134             :     "\xea\x65\xee\x60\x26\x4e\x7e\xb6\x0e\x82\x68\xc4"
    2135             :     "\x37\x3c\x5c\x0b",
    2136             :     /* .perslen = */ 16,
    2137             :     /* .expected = */ (unsigned char *)
    2138             :     "\x5a\x35\x39\x87\x0f\x4d\x22\xa4\x09\x24\xee\x71"
    2139             :     "\xc9\x6f\xac\x72\x0a\xd6\xf0\x88\x82\xd0\x83\x28"
    2140             :     "\x73\xec\x3f\x93\xd8\xab\x45\x23\xf0\x7e\xac\x45"
    2141             :     "\x14\x5e\x93\x9f\xb1\xd6\x76\x43\x3d\xb6\xe8\x08"
    2142             :     "\x88\xf6\xda\x89\x08\x77\x42\xfe\x1a\xf4\x3f\xc4"
    2143             :     "\x23\xc5\x1f\x68",
    2144             :     /* .expectedlen = */ 64,
    2145             :     /* .entropyreseed = */ NULL,
    2146             :     /* .entropyreseed_len = */ 0,
    2147             :     /* .addtl_reseed = */ NULL,
    2148             :     /* .addtl_reseed_len = */ 0
    2149             :    }
    2150             : };
    2151             : 
    2152             : struct gcry_drbg_test_vector drbg_test_nopr[] = {
    2153             :   {
    2154             :     /* .flags = */ "sha256" /* DRBG_NOPR_HASHSHA256 */,
    2155             :     /* .entropy = */ (unsigned char *)
    2156             :     "\x73\xd3\xfb\xa3\x94\x5f\x2b\x5f\xb9\x8f\xf6\x9c"
    2157             :     "\x8a\x93\x17\xae\x19\xc3\x4c\xc3\xd6\xca\xa3\x2d"
    2158             :     "\x16\xfc\x42\xd2\x2d\xd5\x6f\x56\xcc\x1d\x30\xff"
    2159             :     "\x9e\x06\x3e\x09\xce\x58\xe6\x9a\x35\xb3\xa6\x56",
    2160             :     /* .entropylen = */ 48,
    2161             :     /* .entpra = */ NULL,
    2162             :     /* .entprb = */ NULL,
    2163             :     /* .entprlen = */ 0,
    2164             :     /* .addtla = */ (unsigned char *)
    2165             :     "\xf4\xd5\x98\x3d\xa8\xfc\xfa\x37\xb7\x54\x67\x73"
    2166             :     "\xc7\xc3\xdd\x47\x34\x71\x02\x5d\xc1\xa0\xd3\x10"
    2167             :     "\xc1\x8b\xbd\xf5\x66\x34\x6f\xdd",
    2168             :     /* .addtlb = */ (unsigned char *)
    2169             :     "\xf7\x9e\x6a\x56\x0e\x73\xe9\xd9\x7a\xd1\x69\xe0"
    2170             :     "\x6f\x8c\x55\x1c\x44\xd1\xce\x6f\x28\xcc\xa4\x4d"
    2171             :     "\xa8\xc0\x85\xd1\x5a\x0c\x59\x40",
    2172             :     /* .addtllen = */ 32,
    2173             :     /* .pers = */ NULL,
    2174             :     /* .perslen = */ 0,
    2175             :     /* .expected = */ (unsigned char *)
    2176             :     "\x71\x7b\x93\x46\x1a\x40\xaa\x35\xa4\xaa\xc5\xe7"
    2177             :     "\x6d\x5b\x5b\x8a\xa0\xdf\x39\x7d\xae\x71\x58\x5b"
    2178             :     "\x3c\x7c\xb4\xf0\x89\xfa\x4a\x8c\xa9\x5c\x54\xc0"
    2179             :     "\x40\xdf\xbc\xce\x26\x81\x34\xf8\xba\x7d\x1c\xe8"
    2180             :     "\xad\x21\xe0\x74\xcf\x48\x84\x30\x1f\xa1\xd5\x4f"
    2181             :     "\x81\x42\x2f\xf4\xdb\x0b\x23\xf8\x73\x27\xb8\x1d"
    2182             :     "\x42\xf8\x44\x58\xd8\x5b\x29\x27\x0a\xf8\x69\x59"
    2183             :     "\xb5\x78\x44\xeb\x9e\xe0\x68\x6f\x42\x9a\xb0\x5b"
    2184             :     "\xe0\x4e\xcb\x6a\xaa\xe2\xd2\xd5\x33\x25\x3e\xe0"
    2185             :     "\x6c\xc7\x6a\x07\xa5\x03\x83\x9f\xe2\x8b\xd1\x1c"
    2186             :     "\x70\xa8\x07\x59\x97\xeb\xf6\xbe",
    2187             :     /* .expectedlen = */ 128,
    2188             :     /* .entropyreseed = */ NULL,
    2189             :     /* .entropyreseed_len = */ 0,
    2190             :     /* .addtl_reseed = */ NULL,
    2191             :     /* .addtl_reseed_len = */ 0
    2192             :   },
    2193             :   {
    2194             :     /* .flags = */ "hmac sha256" /* DRBG_NOPR_HMACSHA256 */,
    2195             :     /* .entropy = */ (unsigned char *)
    2196             :     "\x8d\xf0\x13\xb4\xd1\x03\x52\x30\x73\x91\x7d\xdf"
    2197             :     "\x6a\x86\x97\x93\x05\x9e\x99\x43\xfc\x86\x54\x54"
    2198             :     "\x9e\x7a\xb2\x2f\x7c\x29\xf1\x22\xda\x26\x25\xaf"
    2199             :     "\x2d\xdd\x4a\xbc\xce\x3c\xf4\xfa\x46\x59\xd8\x4e",
    2200             :     /* .entropylen = */ 48,
    2201             :     /* .entpra = */ NULL,
    2202             :     /* .entprb = */ NULL,
    2203             :     /* .entprlen = */ 0,
    2204             :     /* .addtla = */ NULL,
    2205             :     /* .addtlb = */ NULL,
    2206             :     /* .addtllen = */ 0,
    2207             :     /* .pers = */ (unsigned char *)
    2208             :     "\xb5\x71\xe6\x6d\x7c\x33\x8b\xc0\x7b\x76\xad\x37"
    2209             :     "\x57\xbb\x2f\x94\x52\xbf\x7e\x07\x43\x7a\xe8\x58"
    2210             :     "\x1c\xe7\xbc\x7c\x3a\xc6\x51\xa9",
    2211             :     /* .perslen = */ 32,
    2212             :     /* .expected = */ (unsigned char *)
    2213             :     "\xb9\x1c\xba\x4c\xc8\x4f\xa2\x5d\xf8\x61\x0b\x81"
    2214             :     "\xb6\x41\x40\x27\x68\xa2\x09\x72\x34\x93\x2e\x37"
    2215             :     "\xd5\x90\xb1\x15\x4c\xbd\x23\xf9\x74\x52\xe3\x10"
    2216             :     "\xe2\x91\xc4\x51\x46\x14\x7f\x0d\xa2\xd8\x17\x61"
    2217             :     "\xfe\x90\xfb\xa6\x4f\x94\x41\x9c\x0f\x66\x2b\x28"
    2218             :     "\xc1\xed\x94\xda\x48\x7b\xb7\xe7\x3e\xec\x79\x8f"
    2219             :     "\xbc\xf9\x81\xb7\x91\xd1\xbe\x4f\x17\x7a\x89\x07"
    2220             :     "\xaa\x3c\x40\x16\x43\xa5\xb6\x2b\x87\xb8\x9d\x66"
    2221             :     "\xb3\xa6\x0e\x40\xd4\xa8\xe4\xe9\xd8\x2a\xf6\xd2"
    2222             :     "\x70\x0e\x6f\x53\x5c\xdb\x51\xf7\x5c\x32\x17\x29"
    2223             :     "\x10\x37\x41\x03\x0c\xcc\x3a\x56",
    2224             :     /* .expectedlen = */ 128,
    2225             :     /* .entropyreseed = */ NULL,
    2226             :     /* .entropyreseed_len = */ 0,
    2227             :     /* .addtl_reseed = */ NULL,
    2228             :     /* .addtl_reseed_len = */ 0
    2229             :   },
    2230             :   {
    2231             :     /* .flags = */ "aes sym128" /* DRBG_NOPR_CTRAES128 */,
    2232             :     /* .entropy = */ (unsigned char *)
    2233             :     "\xc0\x70\x1f\x92\x50\x75\x8f\xcd\xf2\xbe\x73\x98"
    2234             :     "\x80\xdb\x66\xeb\x14\x68\xb4\xa5\x87\x9c\x2d\xa6",
    2235             :     /* .entropylen = */ 24,
    2236             :     /* .entpra = */ NULL,
    2237             :     /* .entprb = */ NULL,
    2238             :     /* .entprlen = */ 0,
    2239             :     /* .addtla = */ (unsigned char *)
    2240             :     "\xf9\x01\xf8\x16\x7a\x1d\xff\xde\x8e\x3c\x83\xe2"
    2241             :     "\x44\x85\xe7\xfe",
    2242             :     /* .addtlb = */ (unsigned char *)
    2243             :     "\x17\x1c\x09\x38\xc2\x38\x9f\x97\x87\x60\x55\xb4"
    2244             :     "\x82\x16\x62\x7f",
    2245             :     /* .addtllen = */ 16,
    2246             :     /* .pers = */ (unsigned char *)
    2247             :     "\x80\x08\xae\xe8\xe9\x69\x40\xc5\x08\x73\xc7\x9f"
    2248             :     "\x8e\xcf\xe0\x02",
    2249             :     /* .perslen = */ 16,
    2250             :     /* .expected = */ (unsigned char *)
    2251             :     "\x97\xc0\xc0\xe5\xa0\xcc\xf2\x4f\x33\x63\x48\x8a"
    2252             :     "\xdb\x13\x0a\x35\x89\xbf\x80\x65\x62\xee\x13\x95"
    2253             :     "\x7c\x33\xd3\x7d\xf4\x07\x77\x7a\x2b\x65\x0b\x5f"
    2254             :     "\x45\x5c\x13\xf1\x90\x77\x7f\xc5\x04\x3f\xcc\x1a"
    2255             :     "\x38\xf8\xcd\x1b\xbb\xd5\x57\xd1\x4a\x4c\x2e\x8a"
    2256             :     "\x2b\x49\x1e\x5c",
    2257             :     /* .expectedlen = */ 64,
    2258             :     /* .entropyreseed = */ NULL,
    2259             :     /* .entropyreseed_len = */ 0,
    2260             :     /* .addtl_reseed = */ NULL,
    2261             :     /* .addtl_reseed_len = */ 0
    2262             :   },
    2263             :   {
    2264             :     /* .flags = */ "sha1" /* DRBG_NOPR_HASHSHA1 */,
    2265             :     /* .entropy = */ (unsigned char *)
    2266             :     "\x16\x10\xb8\x28\xcc\xd2\x7d\xe0\x8c\xee\xa0\x32"
    2267             :     "\xa2\x0e\x92\x08\x49\x2c\xf1\x70\x92\x42\xf6\xb5",
    2268             :     /* .entropylen = */ 24,
    2269             :     /* .entpra = */ NULL,
    2270             :     /* .entprb = */ NULL,
    2271             :     /* .entprlen = */ 0,
    2272             :     /* .addtla = */ NULL,
    2273             :     /* .addtlb = */ NULL,
    2274             :     /* .addtllen = */ 0,
    2275             :     /* .pers = */ NULL,
    2276             :     /* .perslen = */ 0,
    2277             :     /* .expected = */ (unsigned char *)
    2278             :     "\x56\xf3\x3d\x4f\xdb\xb9\xa5\xb6\x4d\x26\x23\x44"
    2279             :     "\x97\xe9\xdc\xb8\x77\x98\xc6\x8d\x08\xf7\xc4\x11"
    2280             :     "\x99\xd4\xbd\xdf\x97\xeb\xbf\x6c\xb5\x55\x0e\x5d"
    2281             :     "\x14\x9f\xf4\xd5\xbd\x0f\x05\xf2\x5a\x69\x88\xc1"
    2282             :     "\x74\x36\x39\x62\x27\x18\x4a\xf8\x4a\x56\x43\x35"
    2283             :     "\x65\x8e\x2f\x85\x72\xbe\xa3\x33\xee\xe2\xab\xff"
    2284             :     "\x22\xff\xa6\xde\x3e\x22\xac\xa2",
    2285             :     /* .expectedlen = */ 80,
    2286             :     /* .entropyreseed = */ (unsigned char *)
    2287             :     "\x72\xd2\x8c\x90\x8e\xda\xf9\xa4\xd1\xe5\x26\xd8"
    2288             :     "\xf2\xde\xd5\x44",
    2289             :     /* .entropyreseed_len = */ 16,
    2290             :     /* .addtl_reseed = */ NULL,
    2291             :     /* .addtl_reseed_len = */ 0
    2292             :   },
    2293             :   {
    2294             :     /* .flags = */ "sha1" /* DRBG_NOPR_HASHSHA1 */,
    2295             :     /* .entropy = */ (unsigned char *)
    2296             :     "\xd9\xba\xb5\xce\xdc\xa9\x6f\x61\x78\xd6\x45\x09"
    2297             :     "\xa0\xdf\xdc\x5e\xda\xd8\x98\x94\x14\x45\x0e\x01",
    2298             :     /* .entropylen = */ 24,
    2299             :     /* .entpra = */ NULL,
    2300             :     /* .entprb = */ NULL,
    2301             :     /* .entprlen = */ 0,
    2302             :     /* .addtla = */ (unsigned char *)
    2303             :     "\x04\xfa\x28\x95\xaa\x5a\x6f\x8c\x57\x43\x34\x3b"
    2304             :     "\x80\x5e\x5e\xa4",
    2305             :     /* .addtlb = */ (unsigned char *)
    2306             :     "\xdf\x5d\xc4\x59\xdf\xf0\x2a\xa2\xf0\x52\xd7\x21"
    2307             :     "\xec\x60\x72\x30",
    2308             :     /* .addtllen = */ 16,
    2309             :     /* .pers = */ NULL,
    2310             :     /* .perslen = */ 0,
    2311             :     /* .expected = */ (unsigned char *)
    2312             :     "\xc4\x8b\x89\xf9\xda\x3f\x74\x82\x45\x55\x5d\x5d"
    2313             :     "\x03\x3b\x69\x3d\xd7\x1a\x4d\xf5\x69\x02\x05\xce"
    2314             :     "\xfc\xd7\x20\x11\x3c\xc2\x4e\x09\x89\x36\xff\x5e"
    2315             :     "\x77\xb5\x41\x53\x58\x70\xb3\x39\x46\x8c\xdd\x8d"
    2316             :     "\x6f\xaf\x8c\x56\x16\x3a\x70\x0a\x75\xb2\x3e\x59"
    2317             :     "\x9b\x5a\xec\xf1\x6f\x3b\xaf\x6d\x5f\x24\x19\x97"
    2318             :     "\x1f\x24\xf4\x46\x72\x0f\xea\xbe",
    2319             :     /* .expectedlen = */ 80,
    2320             :     /* .entropyreseed = */ (unsigned char *)
    2321             :     "\xc6\xba\xd0\x74\xc5\x90\x67\x86\xf5\xe1\xf3\x20"
    2322             :     "\x99\xf5\xb4\x91",
    2323             :     /* .entropyreseed_len = */ 16,
    2324             :     /* .addtl_reseed = */ (unsigned char *)
    2325             :     "\x3e\x6b\xf4\x6f\x4d\xaa\x38\x25\xd7\x19\x4e\x69"
    2326             :     "\x4e\x77\x52\xf7",
    2327             :     /* .addtl_reseed_len = */ 16
    2328             :   }
    2329             : };
    2330             : 
    2331             : 
    2332             : /*
    2333             :  * Tests implement the CAVS test approach as documented in
    2334             :  * http://csrc.nist.gov/groups/STM/cavp/documents/drbg/DRBGVS.pdf
    2335             :  */
    2336             : 
    2337             : /*
    2338             :  * CAVS test
    2339             :  *
    2340             :  * This function is not static as it is needed for as a private API
    2341             :  * call for the CAVS test tool.
    2342             :  */
    2343             : gpg_err_code_t
    2344           0 : _gcry_rngdrbg_cavs_test (struct gcry_drbg_test_vector *test, unsigned char *buf)
    2345             : {
    2346           0 :   gpg_err_code_t ret = 0;
    2347           0 :   drbg_state_t drbg = NULL;
    2348             :   struct drbg_test_data_s test_data;
    2349             :   drbg_string_t addtl, pers, testentropy;
    2350           0 :   int coreref = 0;
    2351           0 :   int pr = 0;
    2352             :   u32 flags;
    2353             : 
    2354           0 :   ret = parse_flag_string (test->flagstr, &flags);
    2355           0 :   if (ret)
    2356           0 :     goto outbuf;
    2357             : 
    2358           0 :   ret = drbg_algo_available (flags, &coreref);
    2359           0 :   if (ret)
    2360           0 :     goto outbuf;
    2361             : 
    2362           0 :   drbg = xtrycalloc_secure (1, sizeof *drbg);
    2363           0 :   if (!drbg)
    2364             :     {
    2365           0 :       ret = gpg_err_code_from_syserror ();
    2366           0 :       goto outbuf;
    2367             :     }
    2368             : 
    2369           0 :   if ((flags & DRBG_PREDICTION_RESIST))
    2370           0 :     pr = 1;
    2371             : 
    2372           0 :   test_data.testentropy = &testentropy;
    2373           0 :   drbg_string_fill (&testentropy, test->entropy, test->entropylen);
    2374           0 :   drbg->test_data = &test_data;
    2375           0 :   drbg_string_fill (&pers, test->pers, test->perslen);
    2376           0 :   ret = drbg_instantiate (drbg, &pers, coreref, pr);
    2377           0 :   if (ret)
    2378           0 :     goto outbuf;
    2379             : 
    2380           0 :   if (test->entropyreseed)
    2381             :     {
    2382           0 :       drbg_string_fill (&testentropy, test->entropyreseed,
    2383             :                              test->entropyreseed_len);
    2384           0 :       drbg_string_fill (&addtl, test->addtl_reseed,
    2385             :                              test->addtl_reseed_len);
    2386           0 :       if (drbg_reseed (drbg, &addtl))
    2387           0 :         goto outbuf;
    2388             :     }
    2389             : 
    2390           0 :   drbg_string_fill (&addtl, test->addtla, test->addtllen);
    2391           0 :   if (test->entpra)
    2392             :     {
    2393           0 :       drbg_string_fill (&testentropy, test->entpra, test->entprlen);
    2394           0 :       drbg->test_data = &test_data;
    2395             :     }
    2396           0 :   drbg_generate_long (drbg, buf, test->expectedlen, &addtl);
    2397             : 
    2398           0 :   drbg_string_fill (&addtl, test->addtlb, test->addtllen);
    2399           0 :   if (test->entprb)
    2400             :     {
    2401           0 :       drbg_string_fill (&testentropy, test->entprb, test->entprlen);
    2402           0 :       drbg->test_data = &test_data;
    2403             :     }
    2404           0 :   drbg_generate_long (drbg, buf, test->expectedlen, &addtl);
    2405           0 :   drbg_uninstantiate (drbg);
    2406             : 
    2407             :  outbuf:
    2408           0 :   xfree (drbg);
    2409           0 :   return ret;
    2410             : }
    2411             : 
    2412             : /*
    2413             :  * Invoke the CAVS test and perform the final check whether the
    2414             :  * calculated random value matches the expected one.
    2415             :  *
    2416             :  * This function is not static as it is needed for as a private API
    2417             :  * call for the CAVS test tool.
    2418             :  */
    2419             : gpg_err_code_t
    2420           0 : _gcry_rngdrbg_healthcheck_one (struct gcry_drbg_test_vector * test)
    2421             : {
    2422           0 :   gpg_err_code_t ret = GPG_ERR_ENOMEM;
    2423           0 :   unsigned char *buf = xcalloc_secure (1, test->expectedlen);
    2424           0 :   if (!buf)
    2425           0 :     return GPG_ERR_ENOMEM;
    2426             : 
    2427           0 :   ret = _gcry_rngdrbg_cavs_test (test, buf);
    2428             :   /* FIXME: The next line is wrong.   */
    2429           0 :   ret = memcmp (test->expected, buf, test->expectedlen);
    2430             : 
    2431           0 :   xfree (buf);
    2432           0 :   return ret;
    2433             : }
    2434             : 
    2435             : /*
    2436             :  * Tests as defined in 11.3.2 in addition to the cipher tests: testing
    2437             :  * of the error handling.
    2438             :  *
    2439             :  * Note, testing the reseed counter is not done as an automatic reseeding
    2440             :  * is performed in drbg_generate when the reseed counter is too large.
    2441             :  */
    2442             : static gpg_err_code_t
    2443           0 : drbg_healthcheck_sanity (struct gcry_drbg_test_vector *test)
    2444             : {
    2445           0 :   unsigned int len = 0;
    2446           0 :   drbg_state_t drbg = NULL;
    2447           0 :   gpg_err_code_t ret = GPG_ERR_GENERAL;
    2448           0 :   gpg_err_code_t tmpret = GPG_ERR_GENERAL;
    2449             :   struct drbg_test_data_s test_data;
    2450             :   drbg_string_t addtl, testentropy;
    2451           0 :   int coreref = 0;
    2452           0 :   unsigned char *buf = NULL;
    2453             :   size_t max_addtllen, max_request_bytes;
    2454             :   u32 flags;
    2455             : 
    2456             :   /* only perform test in FIPS mode */
    2457           0 :   if (0 == fips_mode ())
    2458           0 :     return 0;
    2459             : 
    2460           0 :   ret = parse_flag_string (test->flagstr, &flags);
    2461           0 :   if (ret)
    2462           0 :     return ret;
    2463           0 :   ret = GPG_ERR_GENERAL; /* Fixme: Improve handling of RET.  */
    2464             : 
    2465           0 :   buf = xtrycalloc_secure (1, test->expectedlen);
    2466           0 :   if (!buf)
    2467           0 :     return gpg_err_code_from_syserror ();
    2468           0 :   tmpret = drbg_algo_available (flags, &coreref);
    2469           0 :   if (tmpret)
    2470           0 :     goto outbuf;
    2471           0 :   drbg = xtrycalloc_secure (1, sizeof *drbg);
    2472           0 :   if (!drbg)
    2473             :     {
    2474           0 :       ret = gpg_err_code_from_syserror ();
    2475           0 :       goto outbuf;
    2476             :     }
    2477             : 
    2478             :   /* if the following tests fail, it is likely that there is a buffer
    2479             :    * overflow and we get a SIGSEV */
    2480           0 :   ret = drbg_instantiate (drbg, NULL, coreref, 1);
    2481           0 :   if (ret)
    2482           0 :     goto outbuf;
    2483           0 :   max_addtllen = drbg_max_addtl ();
    2484           0 :   max_request_bytes = drbg_max_request_bytes ();
    2485             :   /* overflow addtllen with additonal info string */
    2486           0 :   drbg_string_fill (&addtl, test->addtla, (max_addtllen + 1));
    2487           0 :   len = drbg_generate (drbg, buf, test->expectedlen, &addtl);
    2488           0 :   if (len)
    2489           0 :     goto outdrbg;
    2490             : 
    2491             :   /* overflow max_bits */
    2492           0 :   len = drbg_generate (drbg, buf, (max_request_bytes + 1), NULL);
    2493           0 :   if (len)
    2494           0 :     goto outdrbg;
    2495           0 :   drbg_uninstantiate (drbg);
    2496             : 
    2497             :   /* test failing entropy source as defined in 11.3.2 */
    2498           0 :   test_data.testentropy = NULL;
    2499           0 :   test_data.fail_seed_source = 1;
    2500           0 :   drbg->test_data = &test_data;
    2501           0 :   tmpret = drbg_instantiate (drbg, NULL, coreref, 0);
    2502           0 :   if (!tmpret)
    2503           0 :     goto outdrbg;
    2504           0 :   test_data.fail_seed_source = 0;
    2505             : 
    2506           0 :   test_data.testentropy = &testentropy;
    2507           0 :   drbg_string_fill (&testentropy, test->entropy, test->entropylen);
    2508             :   /* overflow max addtllen with personalization string */
    2509           0 :   tmpret = drbg_instantiate (drbg, &addtl, coreref, 0);
    2510           0 :   if (!tmpret)
    2511           0 :     goto outdrbg;
    2512             : 
    2513             :   dbg (("DRBG: Sanity tests for failure code paths successfully completed\n"));
    2514           0 :   ret = 0;
    2515             : 
    2516             :  outdrbg:
    2517           0 :   drbg_uninstantiate (drbg);
    2518             :  outbuf:
    2519           0 :   xfree (buf);
    2520           0 :   xfree (drbg);
    2521           0 :   return ret;
    2522             : }
    2523             : 
    2524             : /*
    2525             :  * DRBG Healthcheck function as required in SP800-90A
    2526             :  *
    2527             :  * return:
    2528             :  *      0 on success (all tests pass)
    2529             :  *      >0 on error (return code indicate the number of failures)
    2530             :  */
    2531             : static int
    2532           0 : drbg_healthcheck (void)
    2533             : {
    2534           0 :   int ret = 0;
    2535           0 :   ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[0]);
    2536           0 :   ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[1]);
    2537           0 :   ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[2]);
    2538           0 :   ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[3]);
    2539           0 :   ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[4]);
    2540           0 :   ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[0]);
    2541           0 :   ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[1]);
    2542           0 :   ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[2]);
    2543           0 :   ret += drbg_healthcheck_sanity (&drbg_test_nopr[0]);
    2544           0 :   return ret;
    2545             : }
    2546             : 
    2547             : /* Run the self-tests.  */
    2548             : gcry_error_t
    2549           0 : _gcry_rngdrbg_selftest (selftest_report_func_t report)
    2550             : {
    2551             :   gcry_err_code_t ec;
    2552           0 :   const char *errtxt = NULL;
    2553           0 :   drbg_lock ();
    2554           0 :   if (0 != drbg_healthcheck ())
    2555           0 :     errtxt = "RNG output does not match known value";
    2556           0 :   drbg_unlock ();
    2557           0 :   if (report && errtxt)
    2558           0 :     report ("random", 0, "KAT", errtxt);
    2559           0 :   ec = errtxt ? GPG_ERR_SELFTEST_FAILED : 0;
    2560           0 :   return gpg_error (ec);
    2561             : }
    2562             : 
    2563             : /***************************************************************
    2564             :  * Cipher invocations requested by DRBG
    2565             :  ***************************************************************/
    2566             : 
    2567             : static gpg_err_code_t
    2568          26 : drbg_hmac (drbg_state_t drbg, const unsigned char *key,
    2569             :                 unsigned char *outval, const drbg_string_t *buf)
    2570             : {
    2571             :   gpg_error_t err;
    2572             :   gcry_md_hd_t hd;
    2573             : 
    2574          26 :   if (key)
    2575             :     {
    2576          26 :       err =
    2577          26 :         _gcry_md_open (&hd, drbg->core->backend_cipher, GCRY_MD_FLAG_HMAC);
    2578          26 :       if (err)
    2579           0 :         return err;
    2580          26 :       err = _gcry_md_setkey (hd, key, drbg_statelen (drbg));
    2581          26 :       if (err)
    2582           0 :         return err;
    2583             :     }
    2584             :   else
    2585             :     {
    2586           0 :       err = _gcry_md_open (&hd, drbg->core->backend_cipher, 0);
    2587           0 :       if (err)
    2588           0 :         return err;
    2589             :     }
    2590          66 :   for (; NULL != buf; buf = buf->next)
    2591          40 :     _gcry_md_write (hd, buf->buf, buf->len);
    2592          26 :   _gcry_md_final (hd);
    2593          26 :   memcpy (outval, _gcry_md_read (hd, drbg->core->backend_cipher),
    2594          26 :           drbg_blocklen (drbg));
    2595          26 :   _gcry_md_close (hd);
    2596          26 :   return 0;
    2597             : }
    2598             : 
    2599             : static gpg_err_code_t
    2600           0 : drbg_sym (drbg_state_t drbg, const unsigned char *key,
    2601             :           unsigned char *outval, const drbg_string_t *buf)
    2602             : {
    2603             :   gpg_error_t err;
    2604             :   gcry_cipher_hd_t hd;
    2605             : 
    2606           0 :   err = _gcry_cipher_open (&hd, drbg->core->backend_cipher,
    2607             :                            GCRY_CIPHER_MODE_ECB, 0);
    2608           0 :   if (err)
    2609           0 :     return err;
    2610           0 :   if (drbg_blocklen (drbg) !=
    2611           0 :       _gcry_cipher_get_algo_blklen (drbg->core->backend_cipher))
    2612           0 :     return -GPG_ERR_NO_ERROR;
    2613           0 :   if (drbg_blocklen (drbg) < buf->len)
    2614           0 :     return -GPG_ERR_NO_ERROR;
    2615           0 :   err = _gcry_cipher_setkey (hd, key, drbg_keylen (drbg));
    2616           0 :   if (err)
    2617           0 :     return err;
    2618             :   /* in is only component */
    2619           0 :   _gcry_cipher_encrypt (hd, outval, drbg_blocklen (drbg), buf->buf,
    2620             :                         buf->len);
    2621           0 :   _gcry_cipher_close (hd);
    2622           0 :   return 0;
    2623             : }

Generated by: LCOV version 1.11