File openssl-fips_selftest_upstream_drbg.patch of Package openssl-1_1.24901

Index: openssl-1.1.1d/crypto/fips/drbgtest.c
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.1.1d/crypto/fips/drbgtest.c	2020-03-02 16:41:48.984475937 +0100
@@ -0,0 +1,1179 @@
+/*
+ * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include "internal/nelem.h"
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/obj_mac.h>
+#include <openssl/evp.h>
+#include <openssl/aes.h>
+#include "../crypto/rand/rand_lcl.h"
+#include "../crypto/include/internal/rand_int.h"
+
+#if defined(_WIN32)
+# include <windows.h>
+#endif
+
+
+#if defined(OPENSSL_SYS_UNIX)
+# include <sys/types.h>
+# include <sys/wait.h>
+# include <unistd.h>
+#endif
+
+#include "../../test/drbgtest.h"
+
+typedef struct drbg_selftest_data_st {
+    int post;
+    int nid;
+    unsigned int flags;
+
+    /* KAT data for no PR */
+    const unsigned char *entropy;
+    size_t entropylen;
+    const unsigned char *nonce;
+    size_t noncelen;
+    const unsigned char *pers;
+    size_t perslen;
+    const unsigned char *adin;
+    size_t adinlen;
+    const unsigned char *entropyreseed;
+    size_t entropyreseedlen;
+    const unsigned char *adinreseed;
+    size_t adinreseedlen;
+    const unsigned char *adin2;
+    size_t adin2len;
+    const unsigned char *expected;
+    size_t exlen;
+    const unsigned char *kat2;
+    size_t kat2len;
+
+    /* KAT data for PR */
+    const unsigned char *entropy_pr;
+    size_t entropylen_pr;
+    const unsigned char *nonce_pr;
+    size_t noncelen_pr;
+    const unsigned char *pers_pr;
+    size_t perslen_pr;
+    const unsigned char *adin_pr;
+    size_t adinlen_pr;
+    const unsigned char *entropypr_pr;
+    size_t entropyprlen_pr;
+    const unsigned char *ading_pr;
+    size_t adinglen_pr;
+    const unsigned char *entropyg_pr;
+    size_t entropyglen_pr;
+    const unsigned char *kat_pr;
+    size_t katlen_pr;
+    const unsigned char *kat2_pr;
+    size_t kat2len_pr;
+} DRBG_SELFTEST_DATA;
+
+#define make_drbg_test_data(nid, flag, pr, post) {\
+    post, nid, flag, \
+    pr##_entropyinput, sizeof(pr##_entropyinput), \
+    pr##_nonce, sizeof(pr##_nonce), \
+    pr##_personalizationstring, sizeof(pr##_personalizationstring), \
+    pr##_additionalinput, sizeof(pr##_additionalinput), \
+    pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
+    pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
+    pr##_additionalinput2, sizeof(pr##_additionalinput2), \
+    pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
+    pr##_returnedbits, sizeof(pr##_returnedbits), \
+    pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
+    pr##_pr_nonce, sizeof(pr##_pr_nonce), \
+    pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
+    pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
+    pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
+    pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
+    pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
+    pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
+    pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \
+    }
+
+#define make_drbg_test_data_use_df(nid, pr, p) \
+    make_drbg_test_data(nid, 0, pr, p)
+
+#define make_drbg_test_data_no_df(nid, pr, p)                      \
+    make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_NO_DF, pr, p)
+
+static DRBG_SELFTEST_DATA drbg_test[] = {
+    make_drbg_test_data_no_df (NID_aes_128_ctr, aes_128_no_df,  0),
+    make_drbg_test_data_no_df (NID_aes_192_ctr, aes_192_no_df,  0),
+    make_drbg_test_data_no_df (NID_aes_256_ctr, aes_256_no_df,  1),
+    make_drbg_test_data_use_df(NID_aes_128_ctr, aes_128_use_df, 0),
+    make_drbg_test_data_use_df(NID_aes_192_ctr, aes_192_use_df, 0),
+    make_drbg_test_data_use_df(NID_aes_256_ctr, aes_256_use_df, 1),
+};
+
+static int app_data_index;
+
+/*
+ * Test context data, attached as EXDATA to the RAND_DRBG
+ */
+typedef struct test_ctx_st {
+    const unsigned char *entropy;
+    size_t entropylen;
+    int entropycnt;
+    const unsigned char *nonce;
+    size_t noncelen;
+    int noncecnt;
+} TEST_CTX;
+
+static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
+                          int entropy, size_t min_len, size_t max_len,
+                          int prediction_resistance)
+{
+    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
+
+    t->entropycnt++;
+    *pout = (unsigned char *)t->entropy;
+    return t->entropylen;
+}
+
+static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
+                        int entropy, size_t min_len, size_t max_len)
+{
+    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
+
+    t->noncecnt++;
+    *pout = (unsigned char *)t->nonce;
+    return t->noncelen;
+}
+
+ /*
+ * Disable CRNG testing if it is enabled.
+ * If the DRBG is ready or in an error state, this means an instantiate cycle
+ * for which the default personalisation string is used.
+ */
+static int disable_crngt(RAND_DRBG *drbg)
+{
+    static const char pers[] = DRBG_DEFAULT_PERS_STRING;
+    const int instantiate = drbg->state != DRBG_UNINITIALISED;
+
+    if (drbg->get_entropy != rand_crngt_get_entropy)
+        return 1;
+
+     if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
+        || !RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
+                                              &rand_drbg_cleanup_entropy,
+                                              &rand_drbg_get_nonce,
+                                              &rand_drbg_cleanup_nonce)
+        || (instantiate
+            && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
+                                      sizeof(pers) - 1)))
+        return 0;
+    return 1;
+}
+
+static int uninstantiate(RAND_DRBG *drbg)
+{
+    int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
+
+    ERR_clear_error();
+    return ret;
+}
+
+/*
+ * Do a single KAT test.  Return 0 on failure.
+ */
+static int single_kat(DRBG_SELFTEST_DATA *td)
+{
+    RAND_DRBG *drbg = NULL;
+    TEST_CTX t;
+    int failures = 0;
+    unsigned char buff[1024];
+
+    /*
+     * Test without PR: Instantiate DRBG with test entropy, nonce and
+     * personalisation string.
+     */
+    if ((drbg = RAND_DRBG_new(td->nid, td->flags, NULL)) == NULL)
+        return 0;
+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+                                           kat_nonce, NULL)
+        || !disable_crngt(drbg)) {
+        failures++;
+        goto err;
+    }
+    memset(&t, 0, sizeof(t));
+    t.entropy = td->entropy;
+    t.entropylen = td->entropylen;
+    t.nonce = td->nonce;
+    t.noncelen = td->noncelen;
+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
+
+    if (!RAND_DRBG_instantiate(drbg, td->pers, td->perslen)
+            || !RAND_DRBG_generate(drbg, buff, td->exlen, 0,
+                                             td->adin, td->adinlen)
+            || memcmp(td->expected, buff, td->exlen))
+        failures++;
+
+    /* Reseed DRBG with test entropy and additional input */
+    t.entropy = td->entropyreseed;
+    t.entropylen = td->entropyreseedlen;
+    if (!RAND_DRBG_reseed(drbg, td->adinreseed, td->adinreseedlen, 0)
+            || !RAND_DRBG_generate(drbg, buff, td->kat2len, 0,
+                                             td->adin2, td->adin2len)
+            || memcmp(td->kat2, buff, td->kat2len))
+        failures++;
+    uninstantiate(drbg);
+
+    /*
+     * Now test with PR: Instantiate DRBG with test entropy, nonce and
+     * personalisation string.
+     */
+    if (!RAND_DRBG_set(drbg, td->nid, td->flags)
+            || !RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+                                                  kat_nonce, NULL))
+        failures++;
+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
+    t.entropy = td->entropy_pr;
+    t.entropylen = td->entropylen_pr;
+    t.nonce = td->nonce_pr;
+    t.noncelen = td->noncelen_pr;
+    t.entropycnt = 0;
+    t.noncecnt = 0;
+    if (!RAND_DRBG_instantiate(drbg, td->pers_pr, td->perslen_pr))
+        failures++;
+
+    /*
+     * Now generate with PR: we need to supply entropy as this will
+     * perform a reseed operation.
+     */
+    t.entropy = td->entropypr_pr;
+    t.entropylen = td->entropyprlen_pr;
+    if (!RAND_DRBG_generate(drbg, buff, td->katlen_pr, 1,
+                                      td->adin_pr, td->adinlen_pr)
+            || memcmp(td->kat_pr, buff, td->katlen_pr))
+        failures++;
+
+    /*
+     * Now generate again with PR: supply new entropy again.
+     */
+    t.entropy = td->entropyg_pr;
+    t.entropylen = td->entropyglen_pr;
+
+    if (!RAND_DRBG_generate(drbg, buff, td->kat2len_pr, 1,
+                                      td->ading_pr, td->adinglen_pr)
+                || memcmp(td->kat2_pr, buff, td->kat2len_pr))
+        failures++;
+
+err:
+    uninstantiate(drbg);
+    RAND_DRBG_free(drbg);
+    return failures == 0;
+}
+
+/*
+ * Initialise a DRBG based on selftest data
+ */
+static int init(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td, TEST_CTX *t)
+{
+    if (!RAND_DRBG_set(drbg, td->nid, td->flags)
+            || !RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+                                                  kat_nonce, NULL))
+        return 0;
+    RAND_DRBG_set_ex_data(drbg, app_data_index, t);
+    t->entropy = td->entropy;
+    t->entropylen = td->entropylen;
+    t->nonce = td->nonce;
+    t->noncelen = td->noncelen;
+    t->entropycnt = 0;
+    t->noncecnt = 0;
+    return 1;
+}
+
+/*
+ * Initialise and instantiate DRBG based on selftest data
+ */
+static int instantiate(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td,
+                       TEST_CTX *t)
+{
+    if (!init(drbg, td, t)
+            || !RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
+        return 0;
+    return 1;
+}
+
+/*
+ * Perform extensive error checking as required by SP800-90.
+ * Induce several failure modes and check an error condition is set.
+ */
+static int error_check(DRBG_SELFTEST_DATA *td)
+{
+    static char zero[sizeof(RAND_DRBG)];
+    RAND_DRBG *drbg = NULL;
+    TEST_CTX t;
+    unsigned char buff[1024];
+    unsigned int reseed_counter_tmp;
+    int ret = 0;
+
+    if (!(drbg = RAND_DRBG_new(0, 0, NULL))
+	|| !disable_crngt(drbg))
+        goto err;
+
+    /*
+     * Personalisation string tests
+     */
+
+    /* Test detection of too large personalisation string */
+    if (!init(drbg, td, &t)
+            || RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1) > 0)
+        goto err;
+
+    /*
+     * Entropy source tests
+     */
+
+    /* Test entropy source failure detection: i.e. returns no data */
+    t.entropylen = 0;
+    if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0)
+        goto err;
+
+    /* Try to generate output from uninstantiated DRBG */
+    if (RAND_DRBG_generate(drbg, buff, td->exlen, 0,
+                                       td->adin, td->adinlen)
+            || !uninstantiate(drbg))
+        goto err;
+
+    /* Test insufficient entropy */
+    if (!init(drbg, td, &t))
+        goto err;
+    t.entropylen = drbg->min_entropylen - 1;
+    if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
+            || !uninstantiate(drbg))
+        goto err;
+
+    /* Test too much entropy */
+    if (!init(drbg, td, &t))
+        goto err;
+    t.entropylen = drbg->max_entropylen + 1;
+    if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
+            || !uninstantiate(drbg))
+        goto err;
+
+    /*
+     * Nonce tests
+     */
+
+    /* Test too small nonce */
+    if (drbg->min_noncelen) {
+        if (!init(drbg, td, &t))
+            goto err;
+        t.noncelen = drbg->min_noncelen - 1;
+        if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
+                || !uninstantiate(drbg))
+            goto err;
+    }
+
+    /* Test too large nonce */
+    if (drbg->max_noncelen) {
+        if (!init(drbg, td, &t))
+            goto err;
+        t.noncelen = drbg->max_noncelen + 1;
+        if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
+                || !uninstantiate(drbg))
+            goto err;
+    }
+
+    /* Instantiate with valid data, Check generation is now OK */
+    if (!instantiate(drbg, td, &t)
+            || !RAND_DRBG_generate(drbg, buff, td->exlen, 0,
+                                             td->adin, td->adinlen))
+        goto err;
+
+    /* Request too much data for one request */
+    if (RAND_DRBG_generate(drbg, buff, drbg->max_request + 1, 0,
+                                       td->adin, td->adinlen))
+        goto err;
+
+    /* Try too large additional input */
+    if (RAND_DRBG_generate(drbg, buff, td->exlen, 0,
+                                       td->adin, drbg->max_adinlen + 1))
+        goto err;
+
+    /*
+     * Check prediction resistance request fails if entropy source
+     * failure.
+     */
+    t.entropylen = 0;
+    if (RAND_DRBG_generate(drbg, buff, td->exlen, 1,
+                                      td->adin, td->adinlen)
+            || !uninstantiate(drbg))
+        goto err;
+
+    /* Instantiate again with valid data */
+    if (!instantiate(drbg, td, &t))
+        goto err;
+    reseed_counter_tmp = drbg->reseed_gen_counter;
+    drbg->reseed_gen_counter = drbg->reseed_interval;
+
+    /* Generate output and check entropy has been requested for reseed */
+    t.entropycnt = 0;
+    if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0,
+                                      td->adin, td->adinlen)
+            || t.entropycnt != 1
+            || drbg->reseed_gen_counter != reseed_counter_tmp + 1
+            || !uninstantiate(drbg))
+        goto err;
+
+    /*
+     * Check prediction resistance request fails if entropy source
+     * failure.
+     */
+    t.entropylen = 0;
+    if (RAND_DRBG_generate(drbg, buff, td->exlen, 1,
+                                       td->adin, td->adinlen)
+            || !uninstantiate(drbg))
+        goto err;
+
+    /* Test reseed counter works */
+    if (!instantiate(drbg, td, &t))
+        goto err;
+    reseed_counter_tmp = drbg->reseed_gen_counter;
+    drbg->reseed_gen_counter = drbg->reseed_interval;
+
+    /* Generate output and check entropy has been requested for reseed */
+    t.entropycnt = 0;
+    if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0,
+                                      td->adin, td->adinlen)
+            || t.entropycnt != 1
+            || drbg->reseed_gen_counter != reseed_counter_tmp + 1
+            || !uninstantiate(drbg))
+        goto err;
+
+    /*
+     * Explicit reseed tests
+     */
+
+    /* Test explicit reseed with too large additional input */
+    if (!instantiate(drbg, td, &t)
+            || RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0) > 0)
+        goto err;
+
+    /* Test explicit reseed with entropy source failure */
+    t.entropylen = 0;
+    if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0
+            || !uninstantiate(drbg))
+        goto err;
+
+    /* Test explicit reseed with too much entropy */
+    if (!instantiate(drbg, td, &t))
+        goto err;
+    t.entropylen = drbg->max_entropylen + 1;
+    if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0
+            || !uninstantiate(drbg))
+        goto err;
+
+    /* Test explicit reseed with too little entropy */
+    if (!instantiate(drbg, td, &t))
+        goto err;
+    t.entropylen = drbg->min_entropylen - 1;
+    if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0
+            || !uninstantiate(drbg))
+        goto err;
+
+    /* Standard says we have to check uninstantiate really zeroes */
+    /*
+     * RAND_DRBG_uninstantiate() cleanses the data via drbg_ctr_uninstantiate(),
+     * but right after that it resets drbg->data.ctr using RAND_DRBG_set(), so
+     * the following memcmp will fail.
+     */
+#if 0
+    if (memcmp(zero, &drbg->data, sizeof(drbg->data)))
+        goto err;
+#endif
+
+    ret = 1;
+
+err:
+    uninstantiate(drbg);
+    RAND_DRBG_free(drbg);
+    return ret;
+}
+
+static int test_kats(int i)
+{
+    DRBG_SELFTEST_DATA *td = &drbg_test[i];
+    int rv = 0;
+
+    if (!single_kat(td))
+        goto err;
+    rv = 1;
+
+err:
+    return rv;
+}
+
+static int test_error_checks(int i)
+{
+    DRBG_SELFTEST_DATA *td = &drbg_test[i];
+    int rv = 0;
+
+    if (!error_check(td))
+        goto err;
+    rv = 1;
+
+err:
+    return rv;
+}
+
+/*
+ * Hook context data, attached as EXDATA to the RAND_DRBG
+ */
+typedef struct hook_ctx_st {
+    RAND_DRBG *drbg;
+    /*
+     * Currently, all DRBGs use the same get_entropy() callback.
+     * The tests however, don't assume this and store
+     * the original callback for every DRBG separately.
+     */
+    RAND_DRBG_get_entropy_fn get_entropy;
+    /* forces a failure of the get_entropy() call if nonzero */
+    int fail;
+    /* counts successful reseeds */
+    int reseed_count;
+} HOOK_CTX;
+
+static HOOK_CTX master_ctx, public_ctx, private_ctx;
+
+static HOOK_CTX *get_hook_ctx(RAND_DRBG *drbg)
+{
+    return (HOOK_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
+}
+
+/* Intercepts and counts calls to the get_entropy() callback */
+static size_t get_entropy_hook(RAND_DRBG *drbg, unsigned char **pout,
+                              int entropy, size_t min_len, size_t max_len,
+                              int prediction_resistance)
+{
+    size_t ret;
+    HOOK_CTX *ctx = get_hook_ctx(drbg);
+
+    if (ctx->fail != 0)
+        return 0;
+
+    ret = ctx->get_entropy(drbg, pout, entropy, min_len, max_len,
+                           prediction_resistance);
+
+    if (ret != 0)
+        ctx->reseed_count++;
+    return ret;
+}
+
+/* Installs a hook for the get_entropy() callback of the given drbg */
+static void hook_drbg(RAND_DRBG *drbg, HOOK_CTX *ctx)
+{
+    memset(ctx, 0, sizeof(*ctx));
+    ctx->drbg = drbg;
+    ctx->get_entropy = drbg->get_entropy;
+    drbg->get_entropy = get_entropy_hook;
+    RAND_DRBG_set_ex_data(drbg, app_data_index, ctx);
+}
+
+/* Installs the hook for the get_entropy() callback of the given drbg */
+static void unhook_drbg(RAND_DRBG *drbg)
+{
+    HOOK_CTX *ctx = get_hook_ctx(drbg);
+
+    drbg->get_entropy = ctx->get_entropy;
+    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data);
+}
+
+/* Resets the given hook context */
+static void reset_hook_ctx(HOOK_CTX *ctx)
+{
+    ctx->fail = 0;
+    ctx->reseed_count = 0;
+}
+
+/* Resets all drbg hook contexts */
+static void reset_drbg_hook_ctx(void)
+{
+    reset_hook_ctx(&master_ctx);
+    reset_hook_ctx(&public_ctx);
+    reset_hook_ctx(&private_ctx);
+}
+
+/*
+ * Generates random output using RAND_bytes() and RAND_priv_bytes()
+ * and checks whether the three shared DRBGs were reseeded as
+ * expected.
+ *
+ * |expect_success|: expected outcome (as reported by RAND_status())
+ * |master|, |public|, |private|: pointers to the three shared DRBGs
+ * |expect_xxx_reseed| =
+ *       1:  it is expected that the specified DRBG is reseeded
+ *       0:  it is expected that the specified DRBG is not reseeded
+ *      -1:  don't check whether the specified DRBG was reseeded or not
+ * |reseed_time|: if nonzero, used instead of time(NULL) to set the
+ *                |before_reseed| time.
+ */
+static int test_drbg_reseed(int expect_success,
+                            RAND_DRBG *master,
+                            RAND_DRBG *public,
+                            RAND_DRBG *private,
+                            int expect_master_reseed,
+                            int expect_public_reseed,
+                            int expect_private_reseed,
+                            time_t reseed_time
+                           )
+{
+    unsigned char buf[32];
+    time_t before_reseed, after_reseed;
+    int expected_state = (expect_success ? DRBG_READY : DRBG_ERROR);
+
+    /*
+     * step 1: check preconditions
+     */
+
+    /* Test whether seed propagation is enabled */
+    if (master->reseed_prop_counter == 0
+        || public->reseed_prop_counter == 0
+        || private->reseed_prop_counter == 0)
+        return 0;
+
+    /* Check whether the master DRBG's reseed counter is the largest one */
+    if (public->reseed_prop_counter > master->reseed_prop_counter
+        || private->reseed_prop_counter > master->reseed_prop_counter)
+        return 0;
+
+    /*
+     * step 2: generate random output
+     */
+
+    if (reseed_time == 0)
+        reseed_time = time(NULL);
+
+    /* Generate random output from the public and private DRBG */
+    before_reseed = expect_master_reseed == 1 ? reseed_time : 0;
+    if (RAND_bytes(buf, sizeof(buf)) != expect_success
+        || RAND_priv_bytes(buf, sizeof(buf)) != expect_success)
+        return 0;
+    after_reseed = time(NULL);
+
+
+    /*
+     * step 3: check postconditions
+     */
+
+    /* Test whether reseeding succeeded as expected */
+    if (master->state != expected_state
+        || public->state != expected_state
+        || private->state != expected_state)
+        return 0;
+
+    if (expect_master_reseed >= 0) {
+        /* Test whether master DRBG was reseeded as expected */
+        if (master_ctx.reseed_count != expect_master_reseed)
+            return 0;
+    }
+
+    if (expect_public_reseed >= 0) {
+        /* Test whether public DRBG was reseeded as expected */
+        if (public_ctx.reseed_count != expect_public_reseed)
+            return 0;
+    }
+
+    if (expect_private_reseed >= 0) {
+        /* Test whether public DRBG was reseeded as expected */
+        if (private_ctx.reseed_count != expect_private_reseed)
+            return 0;
+    }
+
+    if (expect_success == 1) {
+        /* Test whether all three reseed counters are synchronized */
+        if (public->reseed_prop_counter != master->reseed_prop_counter
+            || private->reseed_prop_counter != master->reseed_prop_counter)
+            return 0;
+
+        /* Test whether reseed time of master DRBG is set correctly */
+        if (before_reseed > master->reseed_time
+            || master->reseed_time > after_reseed)
+            return 0;
+
+        /* Test whether reseed times of child DRBGs are synchronized with master */
+        if (public->reseed_time < master->reseed_time
+            || private->reseed_time < master->reseed_time)
+            return 0;
+    } else {
+        ERR_clear_error();
+    }
+
+    return 1;
+}
+
+
+#if defined(OPENSSL_SYS_UNIX)
+/*
+ * Test whether master, public and private DRBG are reseeded after
+ * forking the process.
+ */
+static int test_drbg_reseed_after_fork(RAND_DRBG *master,
+                                       RAND_DRBG *public,
+                                       RAND_DRBG *private)
+{
+    pid_t pid;
+    int status=0;
+
+    pid = fork();
+    if (pid < 0)
+        return 0;
+
+    if (pid > 0) {
+        /* I'm the parent; wait for the child and check its exit code */
+        return (waitpid(pid, &status, 0) == pid) && status == 0;
+    }
+
+    /* I'm the child; check whether all three DRBGs reseed. */
+    if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, 0))
+        status = 1;
+
+    /* Remove hooks  */
+    unhook_drbg(master);
+    unhook_drbg(public);
+    unhook_drbg(private);
+    exit(status);
+}
+#endif
+
+/*
+ * Test whether the default rand_method (RAND_OpenSSL()) is
+ * setup correctly, in particular whether reseeding  works
+ * as designed.
+ */
+static int test_rand_drbg_reseed(void)
+{
+    RAND_DRBG *master, *public, *private;
+    unsigned char rand_add_buf[256];
+    int rv=0;
+    time_t before_reseed;
+
+    /* Check whether RAND_OpenSSL() is the default method */
+    if (RAND_get_rand_method() != RAND_OpenSSL())
+        return 0;
+
+    /* All three DRBGs should be non-null */
+    if (!(master = RAND_DRBG_get0_master())
+        || !(public = RAND_DRBG_get0_public())
+        || !(private = RAND_DRBG_get0_private()))
+        return 0;
+
+    /* There should be three distinct DRBGs, two of them chained to master */
+    if (public == private
+        || public == master
+        || private == master
+        || public->parent != master
+        || private->parent != master)
+        return 0;
+
+    /* Disable CRNG testing for the master DRBG */
+    if (!disable_crngt(master))
+        return 0;
+
+    /* uninstantiate the three global DRBGs */
+    RAND_DRBG_uninstantiate(private);
+    RAND_DRBG_uninstantiate(public);
+    RAND_DRBG_uninstantiate(master);
+
+
+    /* Install hooks for the following tests */
+    hook_drbg(master,  &master_ctx);
+    hook_drbg(public,  &public_ctx);
+    hook_drbg(private, &private_ctx);
+
+
+    /*
+     * Test initial seeding of shared DRBGs
+     */
+    if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, 0))
+        goto error;
+    reset_drbg_hook_ctx();
+
+
+    /*
+     * Test initial state of shared DRBGs
+     */
+    if (!test_drbg_reseed(1, master, public, private, 0, 0, 0, 0))
+        goto error;
+    reset_drbg_hook_ctx();
+
+    /*
+     * Test whether the public and private DRBG are both reseeded when their
+     * reseed counters differ from the master's reseed counter.
+     */
+    master->reseed_prop_counter++;
+    if (!test_drbg_reseed(1, master, public, private, 0, 1, 1, 0))
+        goto error;
+    reset_drbg_hook_ctx();
+
+    /*
+     * Test whether the public DRBG is reseeded when its reseed counter differs
+     * from the master's reseed counter.
+     */
+    master->reseed_prop_counter++;
+    private->reseed_prop_counter++;
+    if (!test_drbg_reseed(1, master, public, private, 0, 1, 0, 0))
+        goto error;
+    reset_drbg_hook_ctx();
+
+    /*
+     * Test whether the private DRBG is reseeded when its reseed counter differs
+     * from the master's reseed counter.
+     */
+    master->reseed_prop_counter++;
+    public->reseed_prop_counter++;
+    if (!test_drbg_reseed(1, master, public, private, 0, 0, 1, 0))
+        goto error;
+    reset_drbg_hook_ctx();
+
+#if defined(OPENSSL_SYS_UNIX)
+    if (!test_drbg_reseed_after_fork(master, public, private))
+        goto error;
+#endif
+
+    /* fill 'randomness' buffer with some arbitrary data */
+    memset(rand_add_buf, 'r', sizeof(rand_add_buf));
+
+    /*
+     * Test whether all three DRBGs are reseeded by RAND_add().
+     * The before_reseed time has to be measured here and passed into the
+     * test_drbg_reseed() test, because the master DRBG gets already reseeded
+     * in RAND_add(), whence the check for the condition
+     * before_reseed <= master->reseed_time will fail if the time value happens
+     * to increase between the RAND_add() and the test_drbg_reseed() call.
+     */
+    before_reseed = time(NULL);
+    RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
+    if (!test_drbg_reseed(1, master, public, private, 1, 1, 1,
+                                    before_reseed))
+        goto error;
+    reset_drbg_hook_ctx();
+
+
+    /*
+     * Test whether none of the DRBGs is reseed if the master fails to reseed
+     */
+    master_ctx.fail = 1;
+    master->reseed_prop_counter++;
+    RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
+    if (!test_drbg_reseed(0, master, public, private, 0, 0, 0, 0))
+        goto error;
+    reset_drbg_hook_ctx();
+
+    rv = 1;
+
+error:
+    /* Remove hooks  */
+    unhook_drbg(master);
+    unhook_drbg(public);
+    unhook_drbg(private);
+
+    return rv;
+}
+
+#if defined(OPENSSL_THREADS)
+static int multi_thread_rand_bytes_succeeded = 1;
+static int multi_thread_rand_priv_bytes_succeeded = 1;
+
+static void run_multi_thread_test(void)
+{
+    unsigned char buf[256];
+    time_t start = time(NULL);
+    RAND_DRBG *public = NULL, *private = NULL;
+
+    if (!(public = RAND_DRBG_get0_public())
+            || !(private = RAND_DRBG_get0_private())) {
+        multi_thread_rand_bytes_succeeded = 0;
+        return;
+    }
+    RAND_DRBG_set_reseed_time_interval(private, 1);
+    RAND_DRBG_set_reseed_time_interval(public, 1);
+
+    do {
+        if (RAND_bytes(buf, sizeof(buf)) <= 0)
+            multi_thread_rand_bytes_succeeded = 0;
+        if (RAND_priv_bytes(buf, sizeof(buf)) <= 0)
+            multi_thread_rand_priv_bytes_succeeded = 0;
+    }
+    while(time(NULL) - start < 5);
+}
+
+# if defined(OPENSSL_SYS_WINDOWS)
+
+typedef HANDLE thread_t;
+
+static DWORD WINAPI thread_run(LPVOID arg)
+{
+    run_multi_thread_test();
+    /*
+     * Because we're linking with a static library, we must stop each
+     * thread explicitly, or so says OPENSSL_thread_stop(3)
+     */
+    OPENSSL_thread_stop();
+    return 0;
+}
+
+static int run_thread(thread_t *t)
+{
+    *t = CreateThread(NULL, 0, thread_run, NULL, 0, NULL);
+    return *t != NULL;
+}
+
+static int wait_for_thread(thread_t thread)
+{
+    return WaitForSingleObject(thread, INFINITE) == 0;
+}
+
+# else
+
+typedef pthread_t thread_t;
+
+static void *thread_run(void *arg)
+{
+    run_multi_thread_test();
+    /*
+     * Because we're linking with a static library, we must stop each
+     * thread explicitly, or so says OPENSSL_thread_stop(3)
+     */
+    OPENSSL_thread_stop();
+    return NULL;
+}
+
+static int run_thread(thread_t *t)
+{
+    return pthread_create(t, NULL, thread_run, NULL) == 0;
+}
+
+static int wait_for_thread(thread_t thread)
+{
+    return pthread_join(thread, NULL) == 0;
+}
+
+# endif
+
+/*
+ * The main thread will also run the test, so we'll have THREADS+1 parallel
+ * tests running
+ */
+# define THREADS 3
+
+static int test_multi_thread(void)
+{
+    thread_t t[THREADS];
+    int i;
+
+    for (i = 0; i < THREADS; i++)
+        run_thread(&t[i]);
+    run_multi_thread_test();
+    for (i = 0; i < THREADS; i++)
+        wait_for_thread(t[i]);
+
+    if (!multi_thread_rand_bytes_succeeded)
+        return 0;
+    if (!multi_thread_rand_priv_bytes_succeeded)
+        return 0;
+
+    return 1;
+}
+#endif
+
+/*
+ * Test that instantiation with RAND_seed() works as expected
+ *
+ * If no os entropy source is available then RAND_seed(buffer, bufsize)
+ * is expected to succeed if and only if the buffer length is at least
+ * rand_drbg_seedlen(master) bytes.
+ *
+ * If an os entropy source is available then RAND_seed(buffer, bufsize)
+ * is expected to succeed always.
+ */
+static int test_rand_seed(void)
+{
+    RAND_DRBG *master = NULL;
+    unsigned char rand_buf[256];
+    size_t rand_buflen;
+    size_t required_seed_buflen = 0;
+
+    if (!(master = RAND_DRBG_get0_master())
+        || !disable_crngt(master))
+        return 0;
+
+#ifdef OPENSSL_RAND_SEED_NONE
+    required_seed_buflen = rand_drbg_seedlen(master);
+#endif
+
+    memset(rand_buf, 0xCD, sizeof(rand_buf));
+
+    for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) {
+        RAND_DRBG_uninstantiate(master);
+        RAND_seed(rand_buf, rand_buflen);
+
+        if (RAND_status() != (rand_buflen >= required_seed_buflen))
+            return 0;
+    }
+
+    return 1;
+}
+
+/*
+ * Test that adding additional data with RAND_add() works as expected
+ * when the master DRBG is instantiated (and below its reseed limit).
+ *
+ * This should succeed regardless of whether an os entropy source is
+ * available or not.
+ */
+static int test_rand_add(void)
+{
+    unsigned char rand_buf[256];
+    size_t rand_buflen;
+
+    memset(rand_buf, 0xCD, sizeof(rand_buf));
+
+    /* make sure it's instantiated */
+    RAND_seed(rand_buf, sizeof(rand_buf));
+    if (!RAND_status())
+        return 0;
+
+    for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) {
+        RAND_add(rand_buf, rand_buflen, 0.0);
+        if (!RAND_status())
+            return 0;
+    }
+
+    return 1;
+}
+
+/*
+ * A list of the FIPS DRGB types.
+ */
+static const struct s_drgb_types {
+    int nid;
+    int flags;
+} drgb_types[] = {
+    { NID_aes_128_ctr,  0                   },
+    { NID_aes_192_ctr,  0                   },
+    { NID_aes_256_ctr,  0                   },
+};
+
+/* Six cases for each covers seed sizes up to 32 bytes */
+static const size_t crngt_num_cases = 6;
+
+static size_t crngt_case, crngt_idx;
+
+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
+                            unsigned int *md_size)
+{
+    size_t i, z;
+
+    if (crngt_idx >= crngt_num_cases)
+        return 0;
+    /* Generate a block of unique data unless this is the duplication point */
+    z = crngt_idx++;
+    if (z > 0 && crngt_case == z)
+        z--;
+    for (i = 0; i < CRNGT_BUFSIZ; i++)
+        buf[i] = (unsigned char)(i + 'A' + z);
+    return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
+}
+
+static int test_crngt(int n)
+{
+    const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
+    RAND_DRBG *drbg = NULL;
+    unsigned char buff[100];
+    size_t ent;
+    int res = 0;
+    int expect;
+
+    if (!rand_crngt_single_init())
+        return 0;
+    rand_crngt_cleanup();
+
+    if (!(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
+        return 0;
+    ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
+    crngt_case = n % crngt_num_cases;
+    crngt_idx = 0;
+    crngt_get_entropy = &crngt_entropy_cb;
+    if (!rand_crngt_init())
+        goto err;
+#ifndef OPENSSL_FIPS
+    if (!RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
+                                           &rand_crngt_cleanup_entropy,
+                                           &rand_drbg_get_nonce,
+                                           &rand_drbg_cleanup_nonce))
+        goto err;
+#endif
+    expect = crngt_case == 0 || crngt_case > ent;
+    if (RAND_DRBG_instantiate(drbg, NULL, 0) != expect)
+        goto err;
+    if (!expect)
+        goto fin;
+    if (!RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))
+        goto err;
+
+    expect = crngt_case == 0 || crngt_case > 2 * ent;
+    if (RAND_DRBG_reseed(drbg, NULL, 0, 0) != expect)
+        goto err;
+    if (!expect)
+        goto fin;
+    if (!RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))
+        goto err;
+
+fin:
+    res = 1;
+err:
+#if 0
+    if (!res)
+        TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
+                  crngt_case, crngt_idx);
+#endif
+    uninstantiate(drbg);
+    RAND_DRBG_free(drbg);
+    crngt_get_entropy = &rand_crngt_get_entropy_cb;
+    return res;
+}
+
+int FIPS_selftest_drbg(void)
+{
+    app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
+    int i;
+
+    for (i = 0; i < OSSL_NELEM(drbg_test); i++) {
+        if (!test_kats(i))
+            return 0;
+    }
+    for (i = 0; i < OSSL_NELEM(drbg_test); i++) {
+        if (!test_error_checks(i))
+            return 0;
+    }
+
+#if 0
+    if (!test_rand_drbg_reseed())
+            return 0;
+    if (!test_rand_seed())
+            return 0;
+    if (!test_rand_add())
+            return 0;
+#if defined(OPENSSL_THREADS)
+    if (!test_multi_thread())
+            return 0;
+#endif
+    for (i = 0; i < crngt_num_cases * OSSL_NELEM(drgb_types); i++) {
+        if (!test_crngt(i))
+            return 0;
+    }
+#endif
+    return 1;
+}
+
Index: openssl-1.1.1d/crypto/fips/drbgtest.h
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.1.1d/crypto/fips/drbgtest.h	2020-03-02 14:59:32.158208038 +0100
@@ -0,0 +1,579 @@
+/*
+ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Known answer tests for SP800-90 DRBG CTR mode.
+ */
+
+
+/*
+ * AES-128 use df PR
+ */
+static const unsigned char aes_128_use_df_pr_entropyinput[] = {
+    0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
+    0xc8, 0xdb, 0xff, 0x12
+};
+static const unsigned char aes_128_use_df_pr_nonce[] = {
+    0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
+};
+static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
+    0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
+    0xd7, 0xd7, 0x01, 0x67
+};
+static const unsigned char aes_128_use_df_pr_additionalinput[] = {
+    0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
+    0x9a, 0x47, 0x08, 0x76
+};
+static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
+    0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
+    0x09, 0xfb, 0xa3, 0xb6
+};
+static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
+    0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
+    0x66, 0x1c, 0xea, 0x5b
+};
+static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
+    0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
+    0x3f, 0x5e, 0x31, 0x06
+};
+static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
+    0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
+    0xa7, 0xe3, 0xa8, 0x67
+};
+static const unsigned char aes_128_use_df_pr_returnedbits[] = {
+    0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
+    0x0f, 0x38, 0x43, 0xc6
+};
+
+
+/*
+ * AES-128 use df no PR
+ */
+static const unsigned char aes_128_use_df_entropyinput[] = {
+    0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
+    0x9d, 0x7d, 0x1c, 0x9b
+};
+static const unsigned char aes_128_use_df_nonce[] = {
+    0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96,
+};
+static const unsigned char aes_128_use_df_personalizationstring[] = {
+    0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
+    0x38, 0x66, 0xba, 0x1b
+};
+static const unsigned char aes_128_use_df_additionalinput[] = {
+    0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
+    0xb5, 0xe2, 0xb2, 0x41
+};
+static const unsigned char aes_128_use_df_int_returnedbits[] = {
+    0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
+    0xe7, 0x57, 0x11, 0xb4
+};
+static const unsigned char aes_128_use_df_entropyinputreseed[] = {
+    0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
+    0xc7, 0xc4, 0x9e, 0x39
+};
+static const unsigned char aes_128_use_df_additionalinputreseed[] = {
+    0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
+    0xc8, 0x93, 0xfa, 0x84
+};
+static const unsigned char aes_128_use_df_additionalinput2[] = {
+    0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
+    0x06, 0x0c, 0x15, 0x2c
+};
+static const unsigned char aes_128_use_df_returnedbits[] = {
+    0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
+    0x46, 0x81, 0xc7, 0x19
+};
+
+
+/*
+ * AES-192 use df PR
+ */
+static const unsigned char aes_192_use_df_pr_entropyinput[] = {
+    0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
+    0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
+};
+static const unsigned char aes_192_use_df_pr_nonce[] = {
+    0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
+    0xd1, 0x80, 0x78, 0xfa
+};
+static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
+    0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
+    0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
+    0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
+};
+static const unsigned char aes_192_use_df_pr_additionalinput[] = {
+    0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
+    0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
+    0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
+};
+static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
+    0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
+    0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5,
+};
+static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
+    0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
+    0x19, 0x30, 0x6b, 0x67
+};
+static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
+    0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
+    0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
+    0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
+};
+static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
+    0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
+    0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e,
+};
+static const unsigned char aes_192_use_df_pr_returnedbits[] = {
+    0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
+    0x7e, 0x1a, 0x2b, 0x83
+};
+
+
+/*
+ * AES-192 use df no PR
+ */
+static const unsigned char aes_192_use_df_entropyinput[] = {
+    0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
+    0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b,
+};
+static const unsigned char aes_192_use_df_nonce[] = {
+    0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
+    0x77, 0xd7, 0x41, 0x0e
+};
+static const unsigned char aes_192_use_df_personalizationstring[] = {
+    0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
+    0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
+    0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
+};
+static const unsigned char aes_192_use_df_additionalinput[] = {
+    0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
+    0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
+    0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
+};
+static const unsigned char aes_192_use_df_int_returnedbits[] = {
+    0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
+    0xb7, 0xed, 0xe9, 0xea
+};
+static const unsigned char aes_192_use_df_entropyinputreseed[] = {
+    0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
+    0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01,
+};
+static const unsigned char aes_192_use_df_additionalinputreseed[] = {
+    0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
+    0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
+    0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
+};
+static const unsigned char aes_192_use_df_additionalinput2[] = {
+    0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
+    0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
+    0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
+};
+static const unsigned char aes_192_use_df_returnedbits[] = {
+    0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
+    0x1a, 0xf9, 0x13, 0x28
+};
+
+
+/*
+ * AES-256 use df PR
+ */
+static const unsigned char aes_256_use_df_pr_entropyinput[] = {
+    0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
+    0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
+    0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
+};
+static const unsigned char aes_256_use_df_pr_nonce[] = {
+    0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
+    0x2b, 0x36, 0xff, 0xa4
+};
+static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
+    0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
+    0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
+    0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
+};
+static const unsigned char aes_256_use_df_pr_additionalinput[] = {
+    0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
+    0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
+    0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
+};
+static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
+    0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
+    0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
+    0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
+};
+static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
+    0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
+    0x17, 0xab, 0x3c, 0x7a
+};
+static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
+    0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
+    0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
+    0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
+};
+static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
+    0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
+    0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
+    0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
+};
+static const unsigned char aes_256_use_df_pr_returnedbits[] = {
+    0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
+    0xd9, 0xe2, 0x97, 0x00
+};
+
+
+/*
+ * AES-256 use df no PR
+ */
+static const unsigned char aes_256_use_df_entropyinput[] = {
+    0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
+    0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
+    0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
+};
+static const unsigned char aes_256_use_df_nonce[] = {
+    0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
+    0x4c, 0x44, 0x84, 0x40
+};
+static const unsigned char aes_256_use_df_personalizationstring[] = {
+    0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
+    0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
+    0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
+};
+static const unsigned char aes_256_use_df_additionalinput[] = {
+    0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
+    0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
+    0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
+};
+static const unsigned char aes_256_use_df_int_returnedbits[] = {
+    0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
+    0x28, 0x0c, 0x3b, 0xc1
+};
+static const unsigned char aes_256_use_df_entropyinputreseed[] = {
+    0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
+    0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
+    0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
+};
+static const unsigned char aes_256_use_df_additionalinputreseed[] = {
+    0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
+    0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
+    0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
+};
+static const unsigned char aes_256_use_df_additionalinput2[] = {
+    0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
+    0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
+    0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
+};
+static const unsigned char aes_256_use_df_returnedbits[] = {
+    0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
+    0xfa, 0xfd, 0x35, 0x5e
+};
+
+
+/*
+ * AES-128 no df PR
+ */
+static const unsigned char aes_128_no_df_pr_entropyinput[] = {
+    0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
+    0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
+    0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
+};
+static const unsigned char aes_128_no_df_pr_nonce[] = {
+    0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1,
+};
+static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
+    0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
+    0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
+    0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
+};
+static const unsigned char aes_128_no_df_pr_additionalinput[] = {
+    0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
+    0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
+    0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
+};
+static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
+    0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
+    0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
+    0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
+};
+static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
+    0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
+    0xaf, 0x19, 0x32, 0x16
+};
+static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
+    0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
+    0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
+    0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
+};
+static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
+    0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
+    0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
+    0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
+};
+static const unsigned char aes_128_no_df_pr_returnedbits[] = {
+    0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
+    0x57, 0x82, 0x33, 0xaf
+};
+
+
+/*
+ * AES-128 no df no PR
+ */
+static const unsigned char aes_128_no_df_entropyinput[] = {
+    0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
+    0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
+    0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
+};
+static const unsigned char aes_128_no_df_nonce[] = {
+    0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13,
+};
+static const unsigned char aes_128_no_df_personalizationstring[] = {
+    0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
+    0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
+    0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
+};
+static const unsigned char aes_128_no_df_additionalinput[] = {
+    0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
+    0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
+    0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
+};
+static const unsigned char aes_128_no_df_int_returnedbits[] = {
+    0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
+    0xed, 0x3e, 0x65, 0xc2
+};
+static const unsigned char aes_128_no_df_entropyinputreseed[] = {
+    0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
+    0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
+    0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
+};
+static const unsigned char aes_128_no_df_additionalinputreseed[] = {
+    0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
+    0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
+    0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
+};
+static const unsigned char aes_128_no_df_additionalinput2[] = {
+    0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
+    0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
+    0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
+};
+static const unsigned char aes_128_no_df_returnedbits[] = {
+    0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
+    0x81, 0x37, 0x19, 0xd4
+};
+
+
+/*
+ * AES-192 no df PR
+ */
+static const unsigned char aes_192_no_df_pr_entropyinput[] = {
+    0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
+    0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
+    0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
+    0x17, 0x1f, 0x8d, 0x9a
+};
+static const unsigned char aes_192_no_df_pr_nonce[] = {
+    0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
+    0x61, 0x5c, 0xee, 0x0f
+};
+static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
+    0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
+    0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
+    0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
+    0x57, 0x2e, 0xe7, 0x55
+};
+static const unsigned char aes_192_no_df_pr_additionalinput[] = {
+    0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
+    0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
+    0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
+    0xe2, 0xd0, 0x0c, 0x2f
+};
+static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
+    0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
+    0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
+    0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
+    0x1d, 0x30, 0xb3, 0x78
+};
+static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
+    0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
+    0x7e, 0x3e, 0x0c, 0x26
+};
+static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
+    0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
+    0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
+    0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
+    0x0c, 0x4b, 0xee, 0x6e
+};
+static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
+    0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
+    0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
+    0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
+    0x8e, 0x0a, 0x83, 0xdf
+};
+static const unsigned char aes_192_no_df_pr_returnedbits[] = {
+    0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
+    0xb9, 0xa1, 0x21, 0x68
+};
+
+
+/*
+ * AES-192 no df no PR
+ */
+static const unsigned char aes_192_no_df_entropyinput[] = {
+    0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
+    0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
+    0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
+    0x94, 0xc3, 0x59, 0x63
+};
+static const unsigned char aes_192_no_df_nonce[] = {
+    0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
+    0x29, 0xfd, 0x45, 0x71
+};
+static const unsigned char aes_192_no_df_personalizationstring[] = {
+    0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
+    0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
+    0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
+    0x3b, 0x88, 0xce, 0x35
+};
+static const unsigned char aes_192_no_df_additionalinput[] = {
+    0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
+    0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
+    0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
+    0x3e, 0xbe, 0xd4, 0x8e
+};
+static const unsigned char aes_192_no_df_int_returnedbits[] = {
+    0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
+    0x45, 0xe7, 0x4a, 0xc5
+};
+static const unsigned char aes_192_no_df_entropyinputreseed[] = {
+    0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
+    0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
+    0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
+    0x9b, 0xcb, 0x7e, 0x75
+};
+static const unsigned char aes_192_no_df_additionalinputreseed[] = {
+    0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
+    0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
+    0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
+    0x5d, 0x7a, 0x25, 0x79
+};
+static const unsigned char aes_192_no_df_additionalinput2[] = {
+    0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
+    0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
+    0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
+    0x91, 0x6a, 0xe3, 0x5f
+};
+static const unsigned char aes_192_no_df_returnedbits[] = {
+    0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
+    0x66, 0x67, 0x2c, 0x92
+};
+
+
+/*
+ * AES-256 no df PR
+ */
+static const unsigned char aes_256_no_df_pr_entropyinput[] = {
+    0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
+    0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
+    0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
+    0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c,
+};
+static const unsigned char aes_256_no_df_pr_nonce[] = {
+    0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
+    0xcc, 0x4b, 0xee, 0x2e
+};
+static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
+    0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
+    0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
+    0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
+    0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06,
+};
+static const unsigned char aes_256_no_df_pr_additionalinput[] = {
+    0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
+    0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
+    0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
+    0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e,
+};
+static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
+    0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
+    0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
+    0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
+    0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f,
+};
+static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
+    0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
+    0x79, 0x60, 0x93, 0xcf
+};
+static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
+    0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
+    0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
+    0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
+    0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb,
+};
+static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
+    0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
+    0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
+    0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
+    0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f,
+};
+static const unsigned char aes_256_no_df_pr_returnedbits[] = {
+    0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
+    0x2d, 0x5f, 0x4a, 0x46
+};
+
+
+/*
+ * AES-256 no df no PR
+ */
+static const unsigned char aes_256_no_df_entropyinput[] = {
+    0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
+    0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
+    0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
+    0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3,
+};
+static const unsigned char aes_256_no_df_nonce[] = {
+    0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
+    0x43, 0x96, 0xb9, 0xf0
+};
+static const unsigned char aes_256_no_df_personalizationstring[] = {
+    0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
+    0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
+    0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
+    0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d,
+};
+static const unsigned char aes_256_no_df_additionalinput[] = {
+    0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
+    0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
+    0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
+    0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17,
+};
+static const unsigned char aes_256_no_df_int_returnedbits[] = {
+    0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
+    0xd2, 0x25, 0x75, 0x0e
+};
+static const unsigned char aes_256_no_df_entropyinputreseed[] = {
+    0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
+    0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
+    0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
+    0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb,
+};
+static const unsigned char aes_256_no_df_additionalinputreseed[] = {
+    0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
+    0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
+    0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
+    0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29,
+};
+static const unsigned char aes_256_no_df_additionalinput2[] = {
+    0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
+    0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
+    0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
+    0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6,
+};
+static const unsigned char aes_256_no_df_returnedbits[] = {
+    0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
+    0xf6, 0x02, 0x32, 0xe2
+};
Index: openssl-1.1.1d/crypto/fips/fips_post.c
===================================================================
--- openssl-1.1.1d.orig/crypto/fips/fips_post.c	2020-03-02 14:59:31.902206555 +0100
+++ openssl-1.1.1d/crypto/fips/fips_post.c	2020-03-02 14:59:32.162208061 +0100
@@ -51,7 +51,6 @@
 
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
-#include <openssl/fips_rand.h>
 #include <openssl/err.h>
 #include <openssl/bio.h>
 #include <openssl/hmac.h>
Index: openssl-1.1.1d/crypto/rand/rand_lib.c
===================================================================
--- openssl-1.1.1d.orig/crypto/rand/rand_lib.c	2020-03-02 14:59:31.906206578 +0100
+++ openssl-1.1.1d/crypto/rand/rand_lib.c	2020-03-02 14:59:32.162208061 +0100
@@ -18,7 +18,6 @@
 #include "e_os.h"
 #ifdef OPENSSL_FIPS
 # include <openssl/fips.h>
-# include <openssl/fips_rand.h>
 #endif
 
 #ifndef OPENSSL_NO_ENGINE
Index: openssl-1.1.1d/crypto/fips/build.info
===================================================================
--- openssl-1.1.1d.orig/crypto/fips/build.info	2020-03-02 14:59:31.990207065 +0100
+++ openssl-1.1.1d/crypto/fips/build.info	2020-03-02 14:59:32.162208061 +0100
@@ -2,7 +2,7 @@ LIBS=../../libcrypto
 SOURCE[../../libcrypto]=\
         fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \
         fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \
-        fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+        fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
         fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
         fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
         fips_dh_selftest.c fips_ers.c
Index: openssl-1.1.1d/crypto/fips/fips_drbg_selftest.c
===================================================================
--- openssl-1.1.1d.orig/crypto/fips/fips_drbg_selftest.c	2020-03-02 14:59:31.706205419 +0100
+++ openssl-1.1.1d/crypto/fips/fips_drbg_selftest.c	2020-03-02 14:59:32.162208061 +0100
@@ -774,6 +774,7 @@ int FIPS_drbg_health_check(DRBG_CTX *dct
     return rv;
 }
 
+#if 0
 int FIPS_selftest_drbg(void)
 {
     DRBG_CTX *dctx;
@@ -798,6 +799,7 @@ int FIPS_selftest_drbg(void)
     FIPS_drbg_free(dctx);
     return rv;
 }
+#endif
 
 int FIPS_selftest_drbg_all(void)
 {
Index: openssl-1.1.1d/crypto/fips/fips.c
===================================================================
--- openssl-1.1.1d.orig/crypto/fips/fips.c	2020-03-02 14:59:32.070207528 +0100
+++ openssl-1.1.1d/crypto/fips/fips.c	2020-03-02 14:59:32.162208061 +0100
@@ -50,7 +50,6 @@
 #define _GNU_SOURCE
 
 #include <openssl/rand.h>
-#include <openssl/fips_rand.h>
 #include <openssl/err.h>
 #include <openssl/bio.h>
 #include <openssl/hmac.h>
openSUSE Build Service is sponsored by